c8ff5ad59d91e121c255446a35a7007f89a1fa049226366b0fe5aa547daac2ae

General

Target

2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe
Size

7.3MB
MD5

23a9225eb0a8b3365a4f990219540645
SHA1

67a9eb89ae7ab25a2e7e10a1c6bc1f11cc47ade6
SHA256

c8ff5ad59d91e121c255446a35a7007f89a1fa049226366b0fe5aa547daac2ae
SHA512

8585fa04fafb63979db37f17e1a076b64bb4626a8c900f1aa62f44daa4942fe94be21b37fa541350ef6fa4e4ca89aba55502f3c5c87d4d508351e2d47ad162c2
SSDEEP

196608:O1XfKheEC2GVOyCxak/wjKktQ3Tm4ID3793KtS/xm:thy2jxa8wek2i4ILJI9

Score

9^/10

Malware Config

Signatures

Detects executables containing URLs to raw contents of a Github gist 2 IoCs

resource	yara_rule
behavioral2/files/0x000600000002326f-2.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4540-25-0x00000000006A0000-0x0000000000DE6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Executes dropped EXE 2 IoCs

pid	Process
4540	aUGx92COsXM6U3b.exe
3972	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe
Token: SeDebugPrivilege	3972	CTS.exe
Token: SeDebugPrivilege	4540	aUGx92COsXM6U3b.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4540	4744	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe	81
PID 4744 wrote to memory of 4540	4744	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe	81
PID 4744 wrote to memory of 3972	4744	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe	82
PID 4744 wrote to memory of 3972	4744	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe	82
PID 4744 wrote to memory of 3972	4744	2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_23a9225eb0a8b3365a4f990219540645_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\aUGx92COsXM6U3b.exe
  C:\Users\Admin\AppData\Local\Temp\aUGx92COsXM6U3b.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
392KB

MD5
4dffebf5016305dab6139170eace1412

SHA1
e96922f41fdd14d76b3e239b7ecca833c6f0fd7a

SHA256
f724da92ec9f58136d29f81291f710b62092229ac983451fb32e1dcac5866b6d

SHA512
08fcd8aac6a1b1128fc90191d2f13598afc2aa77bc1120e72a43b3b33e4f39cee763b8865724c6f664e9c9556b8c1b774a57596b7c17cab7794c142b832b01c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUGx92COsXM6U3b.exe

Filesize
7.3MB

MD5
dd6b75a77601d62ac66df1b0a51a7de3

SHA1
699fc35deccb0cd6e341420903fc993535c2c98f

SHA256
2f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15

SHA512
43bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.4540.update

Filesize
9KB

MD5
14ffcf07375b3952bd3f2fe52bb63c14

SHA1
ab2eadde4c614eb8f1f2cae09d989c5746796166

SHA256
6ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed

SHA512
14a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
4KB

MD5
a34ecbd47b14f2d50ed8a6ccc8642281

SHA1
01c9ad67395a659b5fe937cf9ea39e8ae97ae633

SHA256
43004fe8296ad21aa1656fca1b7a1d644df4a86cce5b9fa8153fede5378b4c93

SHA512
5e0141ec50608e12e932189f4892c795bc93729e85042c3cade3c259c7fbbd825c723d7c521f8d8c7bca8c63a4a4306ed45f13d6f4e02083303832bfcb1a52b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
805B

MD5
e0f46a3ab3318cccc67e58b9e5daf78e

SHA1
4cdb1952c99a2cf4eaffd6600b5490e4436a8f30

SHA256
2a84c14af0dd62920b6ea2d8a4cfe9910a8427b4c57aef0b125cc73d88afb64d

SHA512
8a4159b037c7b1d4fd2272365aebb41a5e22fd3b4707db6aba3e43dee68535018dd12cd896366f370e0583309d8c46aa202cdf52c86b27d576291c1630318f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
memory/4540-25-0x00000000006A0000-0x0000000000DE6000-memory.dmp

Filesize
7.3MB

Download
memory/4540-63-0x000000001DC00000-0x000000001DC76000-memory.dmp

Filesize
472KB

Download
memory/4540-64-0x0000000003050000-0x000000000306E000-memory.dmp

Filesize
120KB

Download
memory/4540-62-0x000000001BA70000-0x000000001BAC0000-memory.dmp

Filesize
320KB

Download
memory/4540-37-0x0000000002FA0000-0x0000000002FC0000-memory.dmp

Filesize
128KB

Download
memory/4540-26-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

Filesize
10.8MB

Download
memory/4540-12-0x00007FFE444A3000-0x00007FFE444A5000-memory.dmp

Filesize
8KB

Download
memory/4540-169-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads