Analysis
-
max time kernel
132s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe
-
Size
24.4MB
-
MD5
aca7687a1e07b40efa324c38b65eee4f
-
SHA1
8ed77d3754525e1d7aece86336ee3d8f81a7620a
-
SHA256
40b2c1b3aba258802acf94f8e764b1bad6694d8e0d59eab293058e942b054f6d
-
SHA512
b28e95e49cd2694043bef9cd9f0416fd2b2609522cd5471d46220926e7c38526e290e261e640f2685b2fcabdf51280f227b85266a19d43bb3080b6bc7814d3ed
-
SSDEEP
393216:fFFXBx+b6PvWswX1PbXa7AIYmkMzFzMKoWf697b7ueSvbliUWVFU1MA5onBulMFP:dFxxbWscjSAxcNw9HqTmFkBCBgoj
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
WWUjMRG4zPZfhWm.exeCTS.exeWWUjMRG4zPZfhWm.exepid process 4536 WWUjMRG4zPZfhWm.exe 1760 CTS.exe 4448 WWUjMRG4zPZfhWm.exe -
Loads dropped DLL 1 IoCs
Processes:
WWUjMRG4zPZfhWm.exepid process 4448 WWUjMRG4zPZfhWm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2560 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe Token: SeDebugPrivilege 1760 CTS.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exeWWUjMRG4zPZfhWm.exedescription pid process target process PID 2560 wrote to memory of 4536 2560 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe WWUjMRG4zPZfhWm.exe PID 2560 wrote to memory of 4536 2560 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe WWUjMRG4zPZfhWm.exe PID 2560 wrote to memory of 4536 2560 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe WWUjMRG4zPZfhWm.exe PID 2560 wrote to memory of 1760 2560 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe CTS.exe PID 2560 wrote to memory of 1760 2560 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe CTS.exe PID 2560 wrote to memory of 1760 2560 2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe CTS.exe PID 4536 wrote to memory of 4448 4536 WWUjMRG4zPZfhWm.exe WWUjMRG4zPZfhWm.exe PID 4536 wrote to memory of 4448 4536 WWUjMRG4zPZfhWm.exe WWUjMRG4zPZfhWm.exe PID 4536 wrote to memory of 4448 4536 WWUjMRG4zPZfhWm.exe WWUjMRG4zPZfhWm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_aca7687a1e07b40efa324c38b65eee4f_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WWUjMRG4zPZfhWm.exeC:\Users\Admin\AppData\Local\Temp\WWUjMRG4zPZfhWm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{CF631589-67AC-4918-8A2E-6C74CCEFC8FD}\.cr\WWUjMRG4zPZfhWm.exe"C:\Windows\Temp\{CF631589-67AC-4918-8A2E-6C74CCEFC8FD}\.cr\WWUjMRG4zPZfhWm.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\WWUjMRG4zPZfhWm.exe" -burn.filehandle.attached=540 -burn.filehandle.self=5483⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
392KB
MD57c3a1cceeae7be7196b53a217ba0ef4a
SHA1903d717ffaca0f4e7b7a4c8dd2dc63e1854848ba
SHA256562af2d37de1c1ccf7d1617231208d35afc2b2eef1a2c5c3151a0adbe4e3050a
SHA512f78c698b2b64cb6d43afacbe10d2ae7ea662bb302e7d981d35b7b013af12cd0794a652a67c4780fbc51a01d3f7d51adce618ebb35143e2076dd61c55c1c93eb1
-
C:\Users\Admin\AppData\Local\Temp\WWUjMRG4zPZfhWm.exeFilesize
24.3MB
MD5119dde89a20674349a51893114eae5ed
SHA14de9f6681f0f213b132def3af88a3c68483f5f32
SHA25626c2c72fba6438f5e29af8ebc4826a1e424581b3c446f8c735361f1db7beff72
SHA5129be541f26b5d43cee1766239d8880ab7d30d18fea2f17e28d63a498b30b7dd0918f389805398cb56b0df0df17c8633cb73f9e46672c93b21be04b85bda7a2648
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432
-
C:\Windows\Temp\{9169F83E-DD4D-4349-9D83-2EAD59C93CD7}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{9169F83E-DD4D-4349-9D83-2EAD59C93CD7}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{CF631589-67AC-4918-8A2E-6C74CCEFC8FD}\.cr\WWUjMRG4zPZfhWm.exeFilesize
635KB
MD57cf46d8dfb686998aaaf81e27b995e8c
SHA1c5638a049787ce441c9720c92d3cd02aa3b02429
SHA256120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4
SHA51266cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe