3fb78acc990e3f7b6b581cb829378e5274ed76ed5434cf2baf84c3382c0b88f1

General

Target

2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe
Size

96KB
MD5

8c70d0ebebffbb7b836ab837bfbbf1d4
SHA1

7bed4f9838b6f46da79bb7b3e28e39799f4f62df
SHA256

3fb78acc990e3f7b6b581cb829378e5274ed76ed5434cf2baf84c3382c0b88f1
SHA512

8de7ad58072b8b5bc10fd511ed420f0927ffc9665caa830424acbde4b7deca09843fbe2b117472fbff88f23bb66026af24ca94c34dff2383b5db37f696fab7cf
SSDEEP

1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlDuazTzNF2qf:ZRpAyazIlyazT62

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2824	CXf8AtYwSG5ri0V.exe
2272	CTS.exe

Loads dropped DLL 3 IoCs

pid	Process
1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe
1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe
2760	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe
Token: SeDebugPrivilege	2272	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2824	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	29
PID 1424 wrote to memory of 2824	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	29
PID 1424 wrote to memory of 2824	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	29
PID 1424 wrote to memory of 2824	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	29
PID 1424 wrote to memory of 2272	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	30
PID 1424 wrote to memory of 2272	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	30
PID 1424 wrote to memory of 2272	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	30
PID 1424 wrote to memory of 2272	1424	2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_8c70d0ebebffbb7b836ab837bfbbf1d4_bkransomware.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\CXf8AtYwSG5ri0V.exe
  C:\Users\Admin\AppData\Local\Temp\CXf8AtYwSG5ri0V.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CXf8AtYwSG5ri0V.exe

Filesize
96KB

MD5
b7f821f10d436ffa481439fb4fbd2575

SHA1
e3ba61c8a4f1ca6bd3df5affa4f10d41b892dbc6

SHA256
a126ee7ebd03cf8acd113860c9a73ac4331387917aef79c6f8dd1a4d4415e62f

SHA512
82a99da4454fc4c5ff62b3764ba65531f9ebb4c368ed67839153e78724e31f50ab503ad9c82c2df9482567a4e303dc0ee637a6c810827b1830c263419b26aa52

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f60519a4b9abe303feb4b5b3666a551e

SHA1
d5bb38474958a5f51fb74886482fa44e873898f5

SHA256
6be608cffb5de883843e26f17b767ebf3e0a7fe41137460b32490bcec58e382d

SHA512
3f5f479628de5e4c7911e3730062ac672f721cc513218f38193bfc9426f7fa988b97c9d315689f1b90f15805760b1b284fe4e5ef65fdf482014942f07b1e1bd7

Download Submit
\Users\Admin\AppData\Local\Temp\CXf8AtYwSG5ri0V.exe

Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
memory/2824-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads