Malware Analysis Report

2025-08-10 12:31

Sample ID 240527-r1plbsgh76
Target 2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware
SHA256 7fea5bb76f83869740578da6b5c5e7255884e061c7a0a6279ee6c8abebf729e9
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7fea5bb76f83869740578da6b5c5e7255884e061c7a0a6279ee6c8abebf729e9

Threat Level: Shows suspicious behavior

The file 2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 14:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 14:39

Reported

2024-05-27 14:42

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\6uBoROWjHwgJTO0.exe

MD5 dc7a5183a53f21a8fc2170c70c2b3dda
SHA1 b7fd818e91336bf604c2fd40926d2a6fbf99c1d1
SHA256 f5a76464983618eb675aed0018208ad1553728e67e8577c2d18959665b26df41
SHA512 c95ff0590708d6d18d8e5873c64ebaa11a262aa5f0f6a44929d366a8005d980ceba4a33bfbdeca7ee04db8952bc3733085bd8d4e8c82a0d06fe0f7745c5052d6

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 14:39

Reported

2024-05-27 14:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 d650a5a448d0487b0d2f625740c24dc4
SHA1 0d35dc6d0465968863ee3ccc6ec10f79842d1cf7
SHA256 de9a8e2b9596405306713c9acf27d2136d06928e16e604ac39a99f28110da867
SHA512 63e52e1408e67af598b8cf1d953a3be4e3061b49be4edd00d643762edf6ee1cd1e618694f102eda8ef9f90650d1bcf3f5630a12bdb77510750263168adba14ad

C:\Users\Admin\AppData\Local\Temp\FqFa9l3vKIVDvib.exe

MD5 cf96b1ca52d937926c8f55ce8e576d24
SHA1 94e6f495566eb6e1a4858fc7d24c21e607ac1d51
SHA256 41f747d50cee9c0fbd69fe655f78200574d1fe30dae033c1dd1e1f8419997811
SHA512 ab5e2a9b4af59caf4f7019b47a1d710964a8707593e9eeb47a72160542e30d6628b9c7ce83eee283aaf88046dde43f5491edc3276d330c70a32faebe4ca95e49