Malware Analysis Report

2024-11-30 07:43

Sample ID 240603-g7pvkaef5t
Target 2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware
SHA256 fa7491bf03055707a9a8c322fd5c694a728e75f485fea8922be19500fa237773
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fa7491bf03055707a9a8c322fd5c694a728e75f485fea8922be19500fa237773

Threat Level: Shows suspicious behavior

The file 2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:26

Reported

2024-06-03 06:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\pmOhUhVhL0H5jnk.exe

MD5 a996b732154caa65a5b972cb1139b472
SHA1 afba727b71e7ad4659d57ab068eb7470c30c79c5
SHA256 d03322312cf4e43b6a44d6c0a238d868f8742053789796e3a9034d8a6b529379
SHA512 e96d41b797f743a3a2f81696b1d6278dd382a02da70d55295956df96d9ab35a30b49d2064d1d0f0beb62f75432e3f59cd21b22548ccad48c7c949839b55684d7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:26

Reported

2024-06-03 06:29

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_31ecf59742269efc5cbd7a7ad294e1cd_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 3c5b188123f6797387eb26997bacc3f6
SHA1 f363ba52e5be759b65b5d4c28b445475b175969a
SHA256 17b62e1a93a14a5009fd8a3e57d0f04bd1eab89c72acea4c91f776d724dcbcfb
SHA512 6b759c0188f6df297ced90e4c13175ea4c25a907c9518da005e5a0a68ed428af2ec793586e3a7b6d8bd86371269512d27e4d90b82ead1b99ed3b3bb82be9db5e

C:\Users\Admin\AppData\Local\Temp\jhA7lUKrhTgc6A1.exe

MD5 37bb06045381d4779615bc7d9dbf0184
SHA1 04162b3c38ab3ad9686518521fd1bcb336a99ee9
SHA256 d22c51ad1abbdedf8e3bbdd14e0600b189568aee07f76256f69a79a89df27e3b
SHA512 c246307b86d48cfb2c8310de8350669b4193314476db60440f9f3ced3047031981cace5218cc99ac1350f732488cd339f091afa07dcf45e2891344422fcf61f1