Malware Analysis Report

2025-06-15 20:03

Sample ID 240530-3d1kvsdh9y
Target 2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware
SHA256 968e3fac7b477dfa7b0064ddd254e63155a20eced174f1d63d5b8a404c89ca33
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

968e3fac7b477dfa7b0064ddd254e63155a20eced174f1d63d5b8a404c89ca33

Threat Level: Shows suspicious behavior

The file 2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 23:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 23:24

Reported

2024-05-30 23:27

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\Pm6jQr85KePH109.exe

MD5 69c48e4b74f195e6e3ba4790170bca15
SHA1 14644d99cfa35bae5d0e71ef2b88bf70ef89be3c
SHA256 09d72e46fd62ed6c900476447263093433ddd285b03f0d41b9e38384f1201fd8
SHA512 dc9661277f2bedfa7d708016cd3bf127856ff6480cf58551b7a5a97dd4f9bcdf52482eb0d182ab7c4be38ce2feda4873d394363c575a32d4b1e28b7851683259

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 23:24

Reported

2024-05-30 23:27

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_490a955172e90c8fb03c0272a91c1028_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 c3fdda17102fa9110b8051036612d99f
SHA1 fc0cbe8e38267de9cf362997ff55237dc8bfc160
SHA256 97a0ed8eb041ba88f70776955322e5dab2dd935ddb47787ac7fc93c8259c07a2
SHA512 5b2f20889ffcac7928f9d0b8f36a80da85a040c55552e42d021120c4aeae35b00bbc77628d24e387b43e2a8d7bf5db96a7a3b051fafccb05e49359fb4eb571d9

C:\Users\Admin\AppData\Local\Temp\S57tQx7cUBMmzed.exe

MD5 00421a83c4d8d9f78bc025adde1c6fa9
SHA1 e258562cbae75574ff5bdedcf113876520b83558
SHA256 0c2167d8d5c4533bab3351a2a02b378156c77231e2ccb8347bc50cb1e5f5923d
SHA512 f732859892f7c3e7b9f2a76416089012bcbb4dff006ca3b0c1a76cb38470a89d5bb59ecde92ebbec71bedd021fb2f253ad91c946d8a0927b04957012d10a1916