Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe
-
Size
71KB
-
MD5
5fff1872ff95d09e59f17f44020f88e7
-
SHA1
721f3517a4826dd530d28e1ddcf718383ecb4197
-
SHA256
24cf61fc1f05c71abba8bba768cd57e1923aa612c787c9b7b7525158473b1c25
-
SHA512
d1fc066814e1c45572803141eeb385a16dd30b643a6bf139fcf221193c833d4b085a3c63e212d7e374de17c1c18a49cc01005b00e0218ec9dd6b3f641f7c0dc9
-
SSDEEP
1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTK:ZhpAyazIlyazTK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 1728 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CTS.exe2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2756 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe Token: SeDebugPrivilege 1728 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exedescription pid process target process PID 2756 wrote to memory of 1728 2756 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe CTS.exe PID 2756 wrote to memory of 1728 2756 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe CTS.exe PID 2756 wrote to memory of 1728 2756 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe CTS.exe PID 2756 wrote to memory of 1728 2756 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5b40391c0be3f8276c7a950b7a81de552
SHA198719fca196f8a20556fa22e34f9fdd4d5d72fd4
SHA2563ba3c19b3cdb92c7fc16d36abe075c49c7f801de7867c99c51d34d42597ac08b
SHA512df82ea8fd606cb9636daa014026bd596eb7e745b60655971772cda5bc1517abda3d3dc5c6b415e02ac2883d49df6f0224af4d7d6cf90cf4a4a83c2eb73b80ad2
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25