fd8c7e02d7f75b8a3db79fcb1c111a6bef08d1ee901b7d9b6006bbe6322a8e17

General

Target

2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe
Size

13.3MB
MD5

8b2a2c495d9daaba27121e4d98078a64
SHA1

792591360b1799abac3b3122cdc03d257a4e6da8
SHA256

fd8c7e02d7f75b8a3db79fcb1c111a6bef08d1ee901b7d9b6006bbe6322a8e17
SHA512

060fe3f4543671ea51f87c774dbdb0d8fb1ae454f259cf91fdb6298197a7db0d423801aab83641b222c046d258aa4d6c6c6a2cb450080e429c45ff7415053c16
SSDEEP

393216:xs67sfpd6d9ZJooUI3l1sUlZTJI9ccpQyB:xIf0qoj3XTHKcUB

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

1kNgRYEkWh5yOmF.exeCTS.exe1kNgRYEkWh5yOmF.exe

pid process

616 1kNgRYEkWh5yOmF.exe
2732 CTS.exe
3940 1kNgRYEkWh5yOmF.exe
Loads dropped DLL 1 IoCs

Processes:

1kNgRYEkWh5yOmF.exe

pid process

3940 1kNgRYEkWh5yOmF.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
616	1kNgRYEkWh5yOmF.exe
2732	CTS.exe
3940	1kNgRYEkWh5yOmF.exe

pid	process
3940	1kNgRYEkWh5yOmF.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 2 IoCs

Processes:

CTS.exe2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe

description ioc process

File created C:\Windows\CTS.exe CTS.exe
File created C:\Windows\CTS.exe 2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 3232 2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe
Token: SeDebugPrivilege 2732 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe

description	pid	process
Token: SeDebugPrivilege	3232	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe
Token: SeDebugPrivilege	2732	CTS.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe1kNgRYEkWh5yOmF.exe

description	pid	process	target process
PID 3232 wrote to memory of 616	3232	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe	1kNgRYEkWh5yOmF.exe
PID 3232 wrote to memory of 616	3232	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe	1kNgRYEkWh5yOmF.exe
PID 3232 wrote to memory of 616	3232	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe	1kNgRYEkWh5yOmF.exe
PID 3232 wrote to memory of 2732	3232	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe	CTS.exe
PID 3232 wrote to memory of 2732	3232	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe	CTS.exe
PID 3232 wrote to memory of 2732	3232	2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe	CTS.exe
PID 616 wrote to memory of 3940	616	1kNgRYEkWh5yOmF.exe	1kNgRYEkWh5yOmF.exe
PID 616 wrote to memory of 3940	616	1kNgRYEkWh5yOmF.exe	1kNgRYEkWh5yOmF.exe
PID 616 wrote to memory of 3940	616	1kNgRYEkWh5yOmF.exe	1kNgRYEkWh5yOmF.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_8b2a2c495d9daaba27121e4d98078a64_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\1kNgRYEkWh5yOmF.exe
C:\Users\Admin\AppData\Local\Temp\1kNgRYEkWh5yOmF.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\Temp\{ABB6C9EE-8596-4119-9652-9C5FC1B1D616}\.cr\1kNgRYEkWh5yOmF.exe
"C:\Windows\Temp\{ABB6C9EE-8596-4119-9652-9C5FC1B1D616}\.cr\1kNgRYEkWh5yOmF.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\1kNgRYEkWh5yOmF.exe" -burn.filehandle.attached=696 -burn.filehandle.self=700
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3940

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
394KB

MD5
9bdacd11310a5ccb99a68c4eb26182b0

SHA1
0a96636c2621d7f79efd720c1e787f0fd5355be3

SHA256
392425014d627b51db39d18f1e1ef66bc78053f02e02bc877123234c88921f91

SHA512
38d28b0a05631d9b100da161795613ab32756d199d5a8a6ec41047cf93269289e184b1a981c8a1de6db1709a89edf2f6dfe40fbe57c6c9041c248452eb7a62d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kNgRYEkWh5yOmF.exe

Filesize
13.2MB

MD5
ca8c521c30f57c0c199d526b9a23fc4a

SHA1
663399541a7d3bb1b5ea0e57a00c024e50d8506c

SHA256
8ae59d82845159db3a70763f5cb1571e45ebf6a1adfecc47574ba17b019483a0

SHA512
28cf976fa51e4c7abb57fd8fcde6381f1e140407924ef265fde6e59546fb6fdeb803f388a5d1e9e74fb80d47ce5fd9f275aaf41258a09002fba27c2cbbc2df4d

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit
C:\Windows\Temp\{ABB6C9EE-8596-4119-9652-9C5FC1B1D616}\.cr\1kNgRYEkWh5yOmF.exe

Filesize
634KB

MD5
2389d29f633df11642dff1bf5f21eb35

SHA1
ce85460fd7cde25528142f4cdca4e6013bb4b1e8

SHA256
ab91fbaab09a94839ba839275338ac42fe2661781d371e517f9b2e4866e2cc55

SHA512
59d607112566d13d15a8de8e18be204e8bf0d2010310ebc9c8589ceb42fb8fce7800a6e58f30ffb92d4c1b3e0d17c1a2076a478de753e5334971465c52f8eeed

Download Submit
C:\Windows\Temp\{C27B8C45-2A53-4BA0-8564-FF954F3EDB33}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{C27B8C45-2A53-4BA0-8564-FF954F3EDB33}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads