Analysis Overview
SHA256
7fea5bb76f83869740578da6b5c5e7255884e061c7a0a6279ee6c8abebf729e9
Threat Level: Shows suspicious behavior
The file 2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 14:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 14:39
Reported
2024-05-27 14:42
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2332 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2332 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2332 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\6uBoROWjHwgJTO0.exe
| MD5 | dc7a5183a53f21a8fc2170c70c2b3dda |
| SHA1 | b7fd818e91336bf604c2fd40926d2a6fbf99c1d1 |
| SHA256 | f5a76464983618eb675aed0018208ad1553728e67e8577c2d18959665b26df41 |
| SHA512 | c95ff0590708d6d18d8e5873c64ebaa11a262aa5f0f6a44929d366a8005d980ceba4a33bfbdeca7ee04db8952bc3733085bd8d4e8c82a0d06fe0f7745c5052d6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 14:39
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1492 wrote to memory of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1492 wrote to memory of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1492 wrote to memory of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ebb6b5964e08f55110d0af5306743b2b_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | d650a5a448d0487b0d2f625740c24dc4 |
| SHA1 | 0d35dc6d0465968863ee3ccc6ec10f79842d1cf7 |
| SHA256 | de9a8e2b9596405306713c9acf27d2136d06928e16e604ac39a99f28110da867 |
| SHA512 | 63e52e1408e67af598b8cf1d953a3be4e3061b49be4edd00d643762edf6ee1cd1e618694f102eda8ef9f90650d1bcf3f5630a12bdb77510750263168adba14ad |
C:\Users\Admin\AppData\Local\Temp\FqFa9l3vKIVDvib.exe
| MD5 | cf96b1ca52d937926c8f55ce8e576d24 |
| SHA1 | 94e6f495566eb6e1a4858fc7d24c21e607ac1d51 |
| SHA256 | 41f747d50cee9c0fbd69fe655f78200574d1fe30dae033c1dd1e1f8419997811 |
| SHA512 | ab5e2a9b4af59caf4f7019b47a1d710964a8707593e9eeb47a72160542e30d6628b9c7ce83eee283aaf88046dde43f5491edc3276d330c70a32faebe4ca95e49 |