Analysis Overview
SHA256
d071e44a7c83ba7a1de12d527f90a9a8b119eaa5e484e0d0221b46146c881eb9
Threat Level: Shows suspicious behavior
The file 2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:33
Reported
2024-06-01 07:36
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe
C:\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe
| MD5 | a32a382b8a5a906e03a83b4f3e5b7a9b |
| SHA1 | 11e2bdd0798761f93cce363329996af6c17ed796 |
| SHA256 | 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346 |
| SHA512 | ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c |
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:33
Reported
2024-06-01 07:36
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
97s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe
C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe
| MD5 | a32a382b8a5a906e03a83b4f3e5b7a9b |
| SHA1 | 11e2bdd0798761f93cce363329996af6c17ed796 |
| SHA256 | 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346 |
| SHA512 | ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c |
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 3a910fa82cf5f4c33f7f047f8f2caf8f |
| SHA1 | 1276fba78e882258900c1fc8481b95925107d3f1 |
| SHA256 | a3523d53dc22e24c2e6b6dea39cff8147197ee87d5ccc8d167876af159911853 |
| SHA512 | 8a8a9257e69cc6522344fbebcd6327324811761383fbb0a9ef8cb814b8f9a1576dc5e75c5af7685b94bb7bdb7fd777158841e4f56714a71a0912704347ec1ef2 |