e4455cc9aff329e4f0ebb6eab86dcf6f6b3a3c3204295997411dd2418ca992db

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe
Size

144KB
MD5

be585ec1173c64f7fad34271fd344b00
SHA1

324b2e1271b52e6c3ba480a39b9ab4bf096a6c4b
SHA256

e4455cc9aff329e4f0ebb6eab86dcf6f6b3a3c3204295997411dd2418ca992db
SHA512

56a47d4902392c733af5f40b805ce2d5715026cab6b4cf7957e65f4ae3b5d43bc87c53c914d8ff85ba939956db351363f1d2a9f6a7616dff571f91cbbbfd9bf6
SSDEEP

3072:ZhpAyazIlyazT74aSLKH0wHKZ5gHwGYhNUkFfQH13BQcYJYxf:hZMazP0p5pNvFfQPHYJYxf

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4488	u50Lb5aZGtzkx1v.exe
4980	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe
Token: SeDebugPrivilege	4980	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4488	4008	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe	84
PID 4008 wrote to memory of 4488	4008	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe	84
PID 4008 wrote to memory of 4980	4008	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe	85
PID 4008 wrote to memory of 4980	4008	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe	85
PID 4008 wrote to memory of 4980	4008	2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_be585ec1173c64f7fad34271fd344b00_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\u50Lb5aZGtzkx1v.exe
  C:\Users\Admin\AppData\Local\Temp\u50Lb5aZGtzkx1v.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
394KB

MD5
00edcc747546ceb6dc542e9fd40b4af1

SHA1
5477e9d7ee2c2f9e8ed58d4df3b1261df2d7c403

SHA256
cc9424a34f5f4fd0b29126494f347329fbcd24cf0de2fd8d3b9cf87bd2c27528

SHA512
fbb93cc40f2f47dda6463f521b9d6d1b4d5e01342261c20d41502293c2f58a748f667dfc03cab503ea41f7573fdab5b319af626b6b6e749caaefffa124f22e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\u50Lb5aZGtzkx1v.exe

Filesize
73KB

MD5
2ffc9a24492c0a1af4d562f0c7608aa5

SHA1
1fd5ff6136fba36e9ee22598ecd250af3180ee53

SHA256
69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721

SHA512
03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads