Malware Analysis Report

2025-08-05 15:36

Sample ID 240526-nwfk3saa47
Target 2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware
SHA256 06ae3631e881c3b0ca604e0aef7692206074bd1540146606632220ecdd828ab8
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

06ae3631e881c3b0ca604e0aef7692206074bd1540146606632220ecdd828ab8

Threat Level: Shows suspicious behavior

The file 2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 11:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 11:44

Reported

2024-05-26 11:47

Platform

win7-20231129-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\q8zRP0pkzRegETd.exe

MD5 9a8a6b3f068281a44b8c70961bda9396
SHA1 4729589b244a7af9b5869e813b4457a22c291d31
SHA256 0b4c7af99f41b6d1343a5cdb9d9d5d7413733432c1fa461fa0bd80cefc66f4f7
SHA512 b71a1dc6e0b82a12f25aa8803105c8c3c77c6ea84c3f867905c91260cf292e40676be4c7325a992c65eff20f8f49c54e23616a8086a2efbe5b3cfa04594e76db

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 11:44

Reported

2024-05-27 12:14

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 8c1054e0e8d4c93742cdcc7a7b1136b9
SHA1 539ee9260995b39227e4a3294d9c5bafb0825e79
SHA256 6800646d7835164821f1d26bc52e83e065c4d9c23189a870d8f015f7dd6138b0
SHA512 31a26d8e217ea2b9af402884ddd0a99755d4d423fe96bef90ce129b52ba793b1931fca46f1ea6e91b3671f4c30a2a1fff086fc2f52bd3a69ba8bb9ecd33da3f7

C:\Users\Admin\AppData\Local\Temp\2JqD9K0hFYEtJbV.exe

MD5 d39473a9c09d0561291766f1ff29658a
SHA1 a6302bbe4e87fd1de8ba7126f75c2150872dc088
SHA256 e96143ceee906a8db801cceddbe658d8054848b937d99ec6de3dfb116a35fd0a
SHA512 e8e984c7c961a1fa3c72a27b4b4d134cfe282774cb085786f660ddcabec00b3238a2a8fba230d252fab7bacc4186aff85b3bf76609112be80339b4fdb3681f6d