Malware Analysis Report

2024-11-30 06:53

Sample ID 240601-jktw4sed2y
Target 2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware
SHA256 6bc9e25575d9913b16aa1e3d289325daa809d7d1babb4923b34ad44f4de00775
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6bc9e25575d9913b16aa1e3d289325daa809d7d1babb4923b34ad44f4de00775

Threat Level: Shows suspicious behavior

The file 2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:44

Reported

2024-06-01 07:46

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03f3JmyMdQp2QY5.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\03f3JmyMdQp2QY5.exe

C:\Users\Admin\AppData\Local\Temp\03f3JmyMdQp2QY5.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\03f3JmyMdQp2QY5.exe

MD5 2fdb371d45181dff59577110ba1064e2
SHA1 42a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA256 80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA512 52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

memory/2016-12-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2016-14-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

memory/2016-15-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:44

Reported

2024-06-01 07:46

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VUq5vQlNX2vgZ8l.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_03687dfe73e5dcbe025c25b6b24a6879_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\VUq5vQlNX2vgZ8l.exe

C:\Users\Admin\AppData\Local\Temp\VUq5vQlNX2vgZ8l.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\VUq5vQlNX2vgZ8l.exe

MD5 2fdb371d45181dff59577110ba1064e2
SHA1 42a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA256 80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA512 52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

memory/3664-9-0x0000000000DD0000-0x0000000000DF8000-memory.dmp

memory/3664-11-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 aac372ef237223a34ade3829745631f8
SHA1 ac641b8928a17e3d398ff8486f4165ec52c4957b
SHA256 0f9ddaffd7043f5c7e711b19d74441d43925efccecca1ac6b263a87250274702
SHA512 5dbbafc4ecd5dbc485257e5314b52539cd7a5a8bb630da7277d0c9c621d6db717baed530f077248282870bad387c7a088c914df9618c53a292206aff120251f3