Malware Analysis Report

2025-06-16 07:09

Sample ID 240602-bff6fsdd61
Target 2024-06-02_578186df7b810fe5809213537aaea468_bkransomware
SHA256 7b911eda3edcb5cfc53b82f5aba8e50f87dc772728836424332c6c02ad3af6e7
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7b911eda3edcb5cfc53b82f5aba8e50f87dc772728836424332c6c02ad3af6e7

Threat Level: Shows suspicious behavior

The file 2024-06-02_578186df7b810fe5809213537aaea468_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:04

Reported

2024-06-02 01:07

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\62GaDFdiaTOpnBr.exe

MD5 87ce87d6839d7329e641695f41ef2b1e
SHA1 198bab1842a2ed0f8152126ee9fd1d44d3b73fbc
SHA256 95ea9da33250d65c3adeb7b11346ce14354a6481a76f5971cb284c5653c73c81
SHA512 2044eeae6add96663d6a1afa4130d8feca901c6a2267c33bcbb929a8db949e897817693ef9ca2cae0a009640bbfc087e68b3a39750cd5c5d8946a6aeb78a9338

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:04

Reported

2024-06-02 01:07

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_578186df7b810fe5809213537aaea468_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 ee907f5a0476be7887d985bf0cef8f05
SHA1 e2fbae42d9c8494715e9d07a6624d6b105762ad4
SHA256 6b6305b19882c457ac24735746b6fbe7c6699cd96016fc5dc58249d35d22b097
SHA512 39f26f2ef7d017ce46ee2484f68d76334cdf2e2365026a4944d900134f113093c0bebc8e35a8412311a458034863c735124f04ab8894ddffcd550413ba051832

C:\Users\Admin\AppData\Local\Temp\V44oPYzHtw10PIy.exe

MD5 9600074862b1d726778322e81220bcf5
SHA1 12886b9a7038d51ba76248dc16740aa87f00a512
SHA256 76b1a378d4fbfcd013dc6e900e099ee9222aae0cd159dec44121a02f361c8877
SHA512 26c38037fa609c74772039319bec237798f067d4b0ddf7b9e125ab254f2f1d6c5a530ca8b3abe85826361aff3b3a68a227f4d3dae2ce6d9790cff09d71dd91ae