Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe
-
Size
71KB
-
MD5
9e9a9a2045cb2407c74c1d49ec012e32
-
SHA1
d49e431544938f738f168776deff2bcfa9f496a5
-
SHA256
c8f63c2be5f421a49ea2b72d43a842874529b25508c5f72c06f04177fd3f71f8
-
SHA512
295cf62000fbfabeb278709d7100ff6bdf7147d6edeb7ebc0817c6c5c592df7306c49a98c464936b9e1ad2f837587c09e921c2bf64375832912294d66db467c9
-
SSDEEP
1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTC:ZRpAyazIliazTC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 3004 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 1284 2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe Token: SeDebugPrivilege 3004 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exedescription pid process target process PID 1284 wrote to memory of 3004 1284 2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe CTS.exe PID 1284 wrote to memory of 3004 1284 2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe CTS.exe PID 1284 wrote to memory of 3004 1284 2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_9e9a9a2045cb2407c74c1d49ec012e32_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
394KB
MD50648b77ecfcc80c4a9d4ca625ef02866
SHA1285d6105ae6fd4ecec131512f3069453652b19d0
SHA2566f43c5e70f6c592155fe7ea2bd073f0b03681f6fa74f99c876fb8e22c21bd1a8
SHA512a9a4f458c82fae8c0c4d833ac9b512f8248c4c8631dc02db8d1b72bf499c17d4c715b28f855f0331af6fb3d17f3e494737486081a6157846329f444a984795df
-
C:\Users\Admin\AppData\Local\Temp\F3UfSATcZJ4O5tE.exeFilesize
71KB
MD58a6993456dc9deeeba18ec3171ce52b5
SHA1e7ae043ce5d5fc78dfe84e30fd0f4e874d144a47
SHA256dbd0030a0048f727c32784cf7d6eebdc5e127009e2d0b15a47fd60499a57ebb9
SHA512be7deaaca952b68f75a239fc61cd6a8b32e7b7a2179ec01032e623178a0b56587b0bb60b095ee6a5651da5ad6d38bf27295c66e5635a2fe1ebaf39af75243982
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432