c734bcff-aaaa-4450-a9a9-25ee52aa7ff1

ktes.sys

We were not able to verify the hash of this driver successfully, it has not been confirmed.

Description

BlackCat Ransomware Deploys New Signed Kernel Driver. BlackCat ransomware incident that occurred in February 2023.

  • UUID: c734bcff-aaaa-4450-a9a9-25ee52aa7ff1
  • Created: 2023-06-05
  • Author: Guus Verbeek
  • Acknowledgement: |

Commands

sc.exe create ktes.sys binPath=C:\windows\temp\ktes.sys type=kernel && sc.exe start ktes.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html

    • Known Vulnerable Samples

    PropertyValue
    Filenamektes.sys
    Creation Timestamp
    MD5
    SHA15ed22c0033aed380aa154e672e8db3a2d4c195c4
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand

    source

    last_updated: 2024-04-09