Malware Analysis Report

2024-11-30 07:07

Sample ID 240601-jdvj3aeh82
Target 2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware
SHA256 d071e44a7c83ba7a1de12d527f90a9a8b119eaa5e484e0d0221b46146c881eb9
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d071e44a7c83ba7a1de12d527f90a9a8b119eaa5e484e0d0221b46146c881eb9

Threat Level: Shows suspicious behavior

The file 2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:33

Reported

2024-06-01 07:36

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe

C:\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Z9oFhmv2tKzudJg.exe

MD5 a32a382b8a5a906e03a83b4f3e5b7a9b
SHA1 11e2bdd0798761f93cce363329996af6c17ed796
SHA256 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346
SHA512 ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:33

Reported

2024-06-01 07:36

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_71177e611322702e10304fe7e078a25b_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe

C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\zIviFGBAQj1PJN6.exe

MD5 a32a382b8a5a906e03a83b4f3e5b7a9b
SHA1 11e2bdd0798761f93cce363329996af6c17ed796
SHA256 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346
SHA512 ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 3a910fa82cf5f4c33f7f047f8f2caf8f
SHA1 1276fba78e882258900c1fc8481b95925107d3f1
SHA256 a3523d53dc22e24c2e6b6dea39cff8147197ee87d5ccc8d167876af159911853
SHA512 8a8a9257e69cc6522344fbebcd6327324811761383fbb0a9ef8cb814b8f9a1576dc5e75c5af7685b94bb7bdb7fd777158841e4f56714a71a0912704347ec1ef2