cc5e209c47f931d3004d19755b26b21686344b86f26976a2a9cf87592b2dee32

Analysis

max time kernel
132s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 06:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe
Size

71KB
MD5

cb199b8116cf37150da76f327a3b423e
SHA1

9d94c34c4f1f30ad4e4372696ea2a217a426473e
SHA256

cc5e209c47f931d3004d19755b26b21686344b86f26976a2a9cf87592b2dee32
SHA512

4e9a2e080ddf56f03f7b78f8c940f5900b77aa70368e312ae36cce7de7dab3cddbb5cd8198f643eb2d51d6fefbfc2a8e5c9c8d2201ff3e211e1861a40e898b21
SSDEEP

1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTi:ZRpAyazIliazTi

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe
Token: SeDebugPrivilege	2360	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2360	5040	2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe	82
PID 5040 wrote to memory of 2360	5040	2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe	82
PID 5040 wrote to memory of 2360	5040	2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
392KB

MD5
8c5fad72a995c8ad3f688e1d7ec31562

SHA1
6c6a967377bb2a737fe0572634cc860b4db79b83

SHA256
8966d5fc19ae20bad4654c511fc89d2ed951dccf3473e354b36ff07d67c2887f

SHA512
fa256b9fc47f8229da62b01d92a39b08c440c4dd8e691121057d2ad176a06757d224d232d92e571cb0064b0892ca99fdb10d9ef812fb88e7f130ac51a45fae55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ks7SOS2gYx2J7gI.exe

Filesize
71KB

MD5
c9e42f8a978dff765e9f5cfc023dfd4e

SHA1
6909eae5d34fb7306dc9f15b4bc00a72a10bcabf

SHA256
4943547c67ee378c4011576fd4b01aa1da68284d2519266080454e4bc5e3528d

SHA512
fa5cab51c12262d4f52df445427d6b6d15f52f907fcc485c9cb1850fc95e1f1cfc39910e8e9a9eb1ed094d083aa8a095bbb424adf1e64df9182deedb88e5362b

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads