Analysis Overview
SHA256
a9f7c4d2716c64b45190b04b9a36861a6122b136f973079f4d4a6d72f5761b18
Threat Level: Shows suspicious behavior
The file 2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 15:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 15:25
Reported
2024-06-02 15:27
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2260 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2260 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2260 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2260 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\pxEJfDcl0SBDTGw.exe
| MD5 | 9d350bc5dfdc3ade3a787754cafec2c5 |
| SHA1 | 501ea7deed824b41b6674d6ce26563338ad69898 |
| SHA256 | dd2e9a5b01e848b3ba43115b6f034a265ac95b79623a81a89e6bc87f430bf9bd |
| SHA512 | 7010523ee729f8693cf9285f8cea0b3cb5ad3a47fb649d722b9f8a3033a34313004f8afd4cba620656fa68b4e21531dc5b73f1041d3b7be6c34b26ece9c5b8df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 15:25
Reported
2024-06-02 15:27
Platform
win10v2004-20240508-en
Max time kernel
129s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 968 wrote to memory of 3688 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | C:\Windows\CTS.exe |
| PID 968 wrote to memory of 3688 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | C:\Windows\CTS.exe |
| PID 968 wrote to memory of 3688 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 61dfdc4e999808f8e58a5b68c20f5c63 |
| SHA1 | 5dab229d7878e2dfa43073ce61cd6c73d8250877 |
| SHA256 | 9fb6144c404888a795685f68b3f8ceff1feccec67516e711e3590e9719c3cfd9 |
| SHA512 | e9a3b2525bc6a74198189d7d0ddbdb3e9dcb500623794f8af49b72bfc127b47fac8b1a89997e31e1ead3f96b30162983d3d9ccc54a1eac0ebe74fb020476fc08 |
C:\Users\Admin\AppData\Local\Temp\HDrFUcAJLyDOJpu.exe
| MD5 | a8a35f0759bb26a32b8ebeaf36b7f36b |
| SHA1 | 0b3be30a844a009c8f4ee46470b92cc84c72452e |
| SHA256 | ae1521458e125778a35f8ffd4d14a76146398cbc69ace2213e5b91e3fd600028 |
| SHA512 | a871170e77864119ac44681a6d3c6d31d1be55b0d99d1f5e64b0d9d4739d723744033a7d96ee5147e3d50ed1e027337fd42032d4d4df12b2ec431f5c0d767672 |