Analysis Overview
SHA256
fa7491bf03055707a9a8c322fd5c694a728e75f485fea8922be19500fa237773
Threat Level: Shows suspicious behavior
The file 2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:26
Reported
2024-06-03 06:29
Platform
win7-20240508-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1844 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1844 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1844 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1844 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\pmOhUhVhL0H5jnk.exe
| MD5 | a996b732154caa65a5b972cb1139b472 |
| SHA1 | afba727b71e7ad4659d57ab068eb7470c30c79c5 |
| SHA256 | d03322312cf4e43b6a44d6c0a238d868f8742053789796e3a9034d8a6b529379 |
| SHA512 | e96d41b797f743a3a2f81696b1d6278dd382a02da70d55295956df96d9ab35a30b49d2064d1d0f0beb62f75432e3f59cd21b22548ccad48c7c949839b55684d7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:26
Reported
2024-06-03 06:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2440 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2440 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 3c5b188123f6797387eb26997bacc3f6 |
| SHA1 | f363ba52e5be759b65b5d4c28b445475b175969a |
| SHA256 | 17b62e1a93a14a5009fd8a3e57d0f04bd1eab89c72acea4c91f776d724dcbcfb |
| SHA512 | 6b759c0188f6df297ced90e4c13175ea4c25a907c9518da005e5a0a68ed428af2ec793586e3a7b6d8bd86371269512d27e4d90b82ead1b99ed3b3bb82be9db5e |
C:\Users\Admin\AppData\Local\Temp\jhA7lUKrhTgc6A1.exe
| MD5 | 37bb06045381d4779615bc7d9dbf0184 |
| SHA1 | 04162b3c38ab3ad9686518521fd1bcb336a99ee9 |
| SHA256 | d22c51ad1abbdedf8e3bbdd14e0600b189568aee07f76256f69a79a89df27e3b |
| SHA512 | c246307b86d48cfb2c8310de8350669b4193314476db60440f9f3ced3047031981cace5218cc99ac1350f732488cd339f091afa07dcf45e2891344422fcf61f1 |