Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 00:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe
-
Size
71KB
-
MD5
08096c6e58536c35881c54a6a74d9d0e
-
SHA1
e4c9b48548a6d1c6f5a92d1586c6673f7e1f7327
-
SHA256
bce278f72862767ae49e7493d789747dbc864156d92ebd681ad8828f1c9e9d13
-
SHA512
42fdca3a6d38524b7f93e8aa75c5f2a6417b9ef825ec8f5af0e481854dd27d27e70d28c2cc2530f811f0d9d3032946410161d4154511797e54001d8ec5ce66a5
-
SSDEEP
1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTP:ZhpAyazIlyazTP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid Process 4580 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exeCTS.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exeCTS.exedescription ioc Process File created C:\Windows\CTS.exe 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exeCTS.exedescription pid Process Token: SeDebugPrivilege 4268 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe Token: SeDebugPrivilege 4580 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exedescription pid Process procid_target PID 4268 wrote to memory of 4580 4268 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe 91 PID 4268 wrote to memory of 4580 4268 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe 91 PID 4268 wrote to memory of 4580 4268 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4612 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789KB
MD519708219d534a85281787991712b25e1
SHA12cec34e1eb87407d700b75eb055e24d3fd54d816
SHA2567159e4ac919bb63f9f0d8344d97afe0d5e6a6a71f62cfac667965449cacbae8e
SHA51234c320d5e46c4ebf0854f45c7989e78b3459ca21f5e62263f977ffba5225e712c09bf195f9651488d58ab2cf4487e6a3edee835154c366b8b91639abebb55e68
-
Filesize
71KB
MD55b5d69a12cf70f07aad5f6b558dc2324
SHA1651e0c7e1560b74fb67a25cf538241a2967415dc
SHA256568c3828dc1d41cac9d4bf467d3b61bf7230bf94b8ce60fca894846f0874cda8
SHA512b9b308254f95e07979566d15363f905c82e6911eab97d18bc65a6d742bd3727ac1c7de77756e271d46f90520964d81f318c8a0cc5bdfd41381952b575b4f6d29
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25