Analysis Overview
SHA256
460b7f1e0a91b9c5ab96217d923d2f164b439fbbfac76e1245ca8d08ebe47216
Threat Level: Shows suspicious behavior
The file 2024-06-01_948fc3db93f39956720672a129137317_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:42
Reported
2024-06-01 07:44
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ninD33EgF6sDXxd.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\ninD33EgF6sDXxd.exe
C:\Users\Admin\AppData\Local\Temp\ninD33EgF6sDXxd.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\ninD33EgF6sDXxd.exe
| MD5 | 0655a0af4a2ff9bf591f614ba8f5721f |
| SHA1 | b10d53dccec179109aff61b86ecca65be816f3c4 |
| SHA256 | d1a473a0dd813bd3565b810dcb8ff8bc7907478a994c564d55200925894e0d32 |
| SHA512 | 9051043e6711b1f1b73f4137a8e4c16362c6be5d6c01b15f0430920ce096adf0b9f6a344462aadc5c2847ab5c0d9682df13803351449462dc5dda6059319d45f |
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:42
Reported
2024-06-01 07:44
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKAs03FUKDjWfJb.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | C:\Users\Admin\AppData\Local\Temp\KKAs03FUKDjWfJb.exe |
| PID 2136 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | C:\Users\Admin\AppData\Local\Temp\KKAs03FUKDjWfJb.exe |
| PID 2136 wrote to memory of 3768 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2136 wrote to memory of 3768 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2136 wrote to memory of 3768 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_948fc3db93f39956720672a129137317_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\KKAs03FUKDjWfJb.exe
C:\Users\Admin\AppData\Local\Temp\KKAs03FUKDjWfJb.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\KKAs03FUKDjWfJb.exe
| MD5 | 0655a0af4a2ff9bf591f614ba8f5721f |
| SHA1 | b10d53dccec179109aff61b86ecca65be816f3c4 |
| SHA256 | d1a473a0dd813bd3565b810dcb8ff8bc7907478a994c564d55200925894e0d32 |
| SHA512 | 9051043e6711b1f1b73f4137a8e4c16362c6be5d6c01b15f0430920ce096adf0b9f6a344462aadc5c2847ab5c0d9682df13803351449462dc5dda6059319d45f |
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | b23cdfcf9b0015c42cbd20381fb13a60 |
| SHA1 | 658ac2c6b8daa3bf3564883ca9c6fafabc78dd97 |
| SHA256 | 0620943920a63ac48ddb5309e5480b85343778ef21cc182e56f46b010585010a |
| SHA512 | 93a5eacedda5bfc6c3a865aee0f452b2409d565625eacaa777e4d9a089d28746d143036dedb16b0a52522ff2e46ffa9bc3cf1a501cf6e76a13fcd464458d26f5 |