Malware Analysis Report

2025-08-05 16:01

Sample ID 240526-mrle4agb72
Target 2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware
SHA256 a84ddfc94e595d086ba20fcd54691695454f246a084e4a1d55dd67b33d3cf3d3
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a84ddfc94e595d086ba20fcd54691695454f246a084e4a1d55dd67b33d3cf3d3

Threat Level: Shows suspicious behavior

The file 2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 10:41

Reported

2024-05-26 10:44

Platform

win7-20231129-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3w5jv5J6HqYxnzp.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\3w5jv5J6HqYxnzp.exe

C:\Users\Admin\AppData\Local\Temp\3w5jv5J6HqYxnzp.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3w5jv5J6HqYxnzp.exe

MD5 af88cab288e8213a11a7ea5313363d31
SHA1 cb769e3246d5244a0040621e919f7c519ba49986
SHA256 7407fac6e170430f34322202b73aa392431b5c2c49e15304fb255bb24c540366
SHA512 a4e353fcb78579345d4c5bc1f48970b473e0499dfe5bc6abeffb669295fa2940ce8637045a11f881fe88dd9b97d380ae9a8eed1b94fbd47181e0b4eb427e9679

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 10:41

Reported

2024-05-26 10:44

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3wBzXXGCl91qnQC.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_8ea90cd710a570f5d3c737e1113156c6_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\3wBzXXGCl91qnQC.exe

C:\Users\Admin\AppData\Local\Temp\3wBzXXGCl91qnQC.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3wBzXXGCl91qnQC.exe

MD5 af88cab288e8213a11a7ea5313363d31
SHA1 cb769e3246d5244a0040621e919f7c519ba49986
SHA256 7407fac6e170430f34322202b73aa392431b5c2c49e15304fb255bb24c540366
SHA512 a4e353fcb78579345d4c5bc1f48970b473e0499dfe5bc6abeffb669295fa2940ce8637045a11f881fe88dd9b97d380ae9a8eed1b94fbd47181e0b4eb427e9679

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 3e4d98460774bd53a9eaa1f6af10b66e
SHA1 7e15bf407bf7f3149e0b692a31a0744c5b6607c4
SHA256 f0282689ac56081c789bed84fdb05ab75d50549f20a122b2aa669a2313cca57a
SHA512 0860f06d45b398cfbafca7c1fe07707eb8adacc735d67a4958936b526aed052b8526b8478fb8d44c1f8ca96644baba7fedcb1719d8a93990dfabf74c67eed0d9

C:\Users\Admin\AppData\Local\Temp\3wBzXXGCl91qnQC.exe

MD5 b5b3dd398fd7093bc948369d7f25829a
SHA1 62e6b25c5cbca56b5b8dde82fb66bac69932f859
SHA256 88b594ed50f8a31d5be23cefcd8c191e8cbf853b253a4aa896c5eecc9bd5d0ba
SHA512 6a0832f85cbab01d0691c5072861511c2bedc6d840bbfd02ae95d12d1d550ad5746f2ea0d91f2eaeedce37806a521694e94eea3b75ba44b2a3cc221c4c96d699