Malware Analysis Report

2025-08-10 12:31

Sample ID 240527-r1kx5sgh73
Target 2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware
SHA256 20385a70d740d5a8260450df7f5cc67d7f33cc04d1f58685949237233f47c1ab
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

20385a70d740d5a8260450df7f5cc67d7f33cc04d1f58685949237233f47c1ab

Threat Level: Shows suspicious behavior

The file 2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 14:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 14:39

Reported

2024-05-27 14:42

Platform

win7-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ehZzv3VlsBvGJ1P.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\ehZzv3VlsBvGJ1P.exe

C:\Users\Admin\AppData\Local\Temp\ehZzv3VlsBvGJ1P.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\ehZzv3VlsBvGJ1P.exe

MD5 38f108cddb6619fba80f8382d5227ece
SHA1 12fd277bf756f22cfae3043900e4aff8b9f05ed9
SHA256 8296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc
SHA512 3db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

memory/2176-12-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

memory/2176-14-0x0000000000940000-0x0000000000968000-memory.dmp

memory/2176-15-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 14:39

Reported

2024-05-27 14:42

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4GbiKKhKI7gFJTj.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ea244df2ceec4693ddb3cab2824334aa_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\4GbiKKhKI7gFJTj.exe

C:\Users\Admin\AppData\Local\Temp\4GbiKKhKI7gFJTj.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\4GbiKKhKI7gFJTj.exe

MD5 38f108cddb6619fba80f8382d5227ece
SHA1 12fd277bf756f22cfae3043900e4aff8b9f05ed9
SHA256 8296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc
SHA512 3db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a27d321b9201f0686d4e6745cf50f96d
SHA1 c2502a64d09fb728636e195b6e65a6aee1d10e34
SHA256 1d1331bd0fc59344b83a246324f1271137e0435a5a288ac696bc0aeb4672ae4b
SHA512 c9a9a9989980befeadcb61f3b666a95ae655279e5b27f41c6d78d76c27bc17726b1d71c04d271dba7af84bc3287eba43b24ad78806f9d11c284344a9ab33c8a0

memory/3092-14-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

memory/3092-15-0x0000000000B10000-0x0000000000B38000-memory.dmp

memory/3092-24-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

memory/3092-32-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp