Malware Analysis Report

2024-11-30 07:07

Sample ID 240601-ja6g6aeg57
Target 2024-06-01_a3753e717a05afbac151713074724a64_bkransomware
SHA256 d4a7b8f3f6fbb6a6bbb2f408dbec8f0bdb7439ab6ae4610e81021b3a0afb50c6
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d4a7b8f3f6fbb6a6bbb2f408dbec8f0bdb7439ab6ae4610e81021b3a0afb50c6

Threat Level: Shows suspicious behavior

The file 2024-06-01_a3753e717a05afbac151713074724a64_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:28

Reported

2024-06-01 07:31

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\4LDzJd3rWYtQ0N5.exe

MD5 e543d749bdbf29d7c4ca884e9e4d8cdb
SHA1 c51f67b22b39f37d6d60936ed016a90b76a53db9
SHA256 68443a002c8304911b4e4970e9103b03d086a1925a1535d7e5fe2892daf92821
SHA512 0263163b8ea7f0d6ed8b31390a626e31c712fad82cc126d8c7e819b1d553d6f058f63fbaae7b6afeaabe92a304f0531bb9a5dbcf75311041981bb99653c47e67

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:28

Reported

2024-06-01 07:31

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a3753e717a05afbac151713074724a64_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a7ffa8796080b4d516f2b1351138f488
SHA1 b63aa8b43fbc82ad3bf31ead2c8ef3f94be37ce0
SHA256 7ec47e7b5e934a73f38aafe47f544c9d6f86bfbff677b2add9c2765723ccf9ad
SHA512 1b173e4a111dbfc1607fae1f98c502e20de93dc39624381f327563caa7dd8ec2cfe47330864bf00b1cafb4d83c396621d00b043ee7bb1f243bb0e4f192968d03

C:\Users\Admin\AppData\Local\Temp\T4YjEucjFoZSDUl.exe

MD5 288f481ed040818db389016f04358d4c
SHA1 0822abfd6b1f4ac6eb82f4792ea1d30685b25953
SHA256 66490b5dc838d9856893c12034fa33148f251fef0f00246e744aa27f00cb6f75
SHA512 e1201a677f0e2095f348e5931e0bdf39195eb6eb9b9170c4f0de6ba2470f23c7953b3e953fad8033146c9ab6d37cc8875fb974e0b780ded0461c52af62ad9ad7