9890346c3c366dc2753899f9eb10457e0b08ce58bece04c2ee3c769960d97b21

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 13:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe
Size

288KB
MD5

f73782f8494cde405f223542345e9153
SHA1

12c31c603df3df472f49cd4bf2da0743f4aea185
SHA256

9890346c3c366dc2753899f9eb10457e0b08ce58bece04c2ee3c769960d97b21
SHA512

dfb92626d6e67ab8c4a0623c2b155414bc433b6bb06c27ebbc8455da63bbc3f23be9370e6408b21a3d89f9af656fb712dd2714378d246872cf4a9292f57c1f04
SSDEEP

6144:hZMazOXUyUaZWmr1ly0+EzthyIhkpBWvcZYKpJKQ2XoZIYC:hS0EUyUwT100vYx7kc2XaIYC

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2864	LN5L6h6au8ucZUq.exe
1540	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	100	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe
Token: SeDebugPrivilege	1540	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 2864	100	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe	83
PID 100 wrote to memory of 2864	100	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe	83
PID 100 wrote to memory of 1540	100	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe	84
PID 100 wrote to memory of 1540	100	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe	84
PID 100 wrote to memory of 1540	100	2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_f73782f8494cde405f223542345e9153_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Local\Temp\LN5L6h6au8ucZUq.exe
  C:\Users\Admin\AppData\Local\Temp\LN5L6h6au8ucZUq.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
394KB

MD5
383cca54527591fde30c98d1f46225ab

SHA1
dca44da8b1cb76abc3a2ec34d853d05a8fe1d352

SHA256
8c5acdb19214c78d933c8d2cba4f2176fa18f4a44c910c780b618c2ffa3f0b56

SHA512
86fa57d7a3d86aaa679318ee6578ecc4e0b5d679fd9d1d3cc974af5111636e82a8f8e298a1d1b339211e1b384b301476930218d61e105ec4343a3e1b5f4374d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LN5L6h6au8ucZUq.exe

Filesize
217KB

MD5
f8a38fd27da720881c0af1ac99b8c1ad

SHA1
2ed31938119e2ebdeb0f5539c985e9965aef72d7

SHA256
b2e32b3fa44b3a9a8fdfa906627355f6f48b4821929f9bce5ded2d07894361d4

SHA512
aafa05bc5bd68687b998fe4d9a619caecc65d14f317af7a05ac0ecab7e231891e8719029245dc84eddce20bdd4c0cc6f4ffafdf8200227746b28cc6628564495

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads