f48adf9b558398b5bc323e8876cccf4087dbcb94be54f02fef77164a24a4986b

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe
Size

74KB
MD5

3af5315da25413161bcbe41232c3e4b2
SHA1

17e055d2d2fdc2eea00fdb0622354b247bea80ef
SHA256

f48adf9b558398b5bc323e8876cccf4087dbcb94be54f02fef77164a24a4986b
SHA512

840a9a1eb35158ddc7e150e9c124323affe176c23c42165f8e7e0a6bdf5f6737137606f0ab6c158257b7a313ff4262f8ba355f2ad4f184e0e7ecf982bc6dcc3e
SSDEEP

1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTZU:ZRpAyazIliazTZU

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4936	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe
Token: SeDebugPrivilege	4936	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4936	2748	2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe	91
PID 2748 wrote to memory of 4936	2748	2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe	91
PID 2748 wrote to memory of 4936	2748	2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3af5315da25413161bcbe41232c3e4b2_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
789KB

MD5
1959fe46d4aca2b27527d29306fead0a

SHA1
7c5f8dc5f2e8aa23a37aff2142e3bbf6d4895e27

SHA256
57ee2fca7523efa4f8ba7af70dd0f8bc44c88dd36c630f43ca27129579504bc3

SHA512
d4150fda025f0dc536bea30f0bc3c3d59aebab1b5adab32f8c3173341070e6ecf920f0b861a12d8f0484fd6c2434ddc2ea989d2f8decf7932b08ab59ca7c150d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADGDljqCdKXLMvY.exe

Filesize
74KB

MD5
b8c82e5e61d67cb620b935bcec42b22f

SHA1
5e3a35551367caaa0a84667cba27f52c8935e813

SHA256
165e376a7b1c129c2059c328ed6c2b45499286310e106be8efe9835a8f620b8b

SHA512
8e869cd5b82179942bec1d1654261546e46a068a71fb3b922be4721c31b29f148ff0b72cbb9699c530235a093e9f19e8b39c5c8dedd1f51d2e2c24cbb7591570

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads