Analysis Overview
SHA256
06ae3631e881c3b0ca604e0aef7692206074bd1540146606632220ecdd828ab8
Threat Level: Shows suspicious behavior
The file 2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 11:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 11:44
Reported
2024-05-26 11:47
Platform
win7-20231129-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2356 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2356 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2356 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2356 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\q8zRP0pkzRegETd.exe
| MD5 | 9a8a6b3f068281a44b8c70961bda9396 |
| SHA1 | 4729589b244a7af9b5869e813b4457a22c291d31 |
| SHA256 | 0b4c7af99f41b6d1343a5cdb9d9d5d7413733432c1fa461fa0bd80cefc66f4f7 |
| SHA512 | b71a1dc6e0b82a12f25aa8803105c8c3c77c6ea84c3f867905c91260cf292e40676be4c7325a992c65eff20f8f49c54e23616a8086a2efbe5b3cfa04594e76db |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 11:44
Reported
2024-05-27 12:14
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4828 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4828 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4828 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 8c1054e0e8d4c93742cdcc7a7b1136b9 |
| SHA1 | 539ee9260995b39227e4a3294d9c5bafb0825e79 |
| SHA256 | 6800646d7835164821f1d26bc52e83e065c4d9c23189a870d8f015f7dd6138b0 |
| SHA512 | 31a26d8e217ea2b9af402884ddd0a99755d4d423fe96bef90ce129b52ba793b1931fca46f1ea6e91b3671f4c30a2a1fff086fc2f52bd3a69ba8bb9ecd33da3f7 |
C:\Users\Admin\AppData\Local\Temp\2JqD9K0hFYEtJbV.exe
| MD5 | d39473a9c09d0561291766f1ff29658a |
| SHA1 | a6302bbe4e87fd1de8ba7126f75c2150872dc088 |
| SHA256 | e96143ceee906a8db801cceddbe658d8054848b937d99ec6de3dfb116a35fd0a |
| SHA512 | e8e984c7c961a1fa3c72a27b4b4d134cfe282774cb085786f660ddcabec00b3238a2a8fba230d252fab7bacc4186aff85b3bf76609112be80339b4fdb3681f6d |