Malware Analysis Report

2024-11-30 07:20

Sample ID 240603-hgt72agc59
Target 2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware
SHA256 0f6f1d62a783f941c5a971af0863be10efbb80a2d4bf2b193aea77844c83cdf9
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0f6f1d62a783f941c5a971af0863be10efbb80a2d4bf2b193aea77844c83cdf9

Threat Level: Shows suspicious behavior

The file 2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:42

Reported

2024-06-03 06:45

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuyEEi0ygaewR1S.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\vuyEEi0ygaewR1S.exe

C:\Users\Admin\AppData\Local\Temp\vuyEEi0ygaewR1S.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2504-10-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

\Users\Admin\AppData\Local\Temp\vuyEEi0ygaewR1S.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Users\Admin\AppData\Local\Temp\vuyEEi0ygaewR1S.exe

MD5 52d7d04ce583a47172b30b479043c57f
SHA1 2591d1c2589f731e2e31736804b3a3d7f5dc70a3
SHA256 597f4757bdefa2e743b7b8e4089addf8be56184633922faa1053ec289cdbffd0
SHA512 2c724369e839874dd3b9d892489f6a03ee01bc86f7bb970dec01c1a79696f2965acab754285eaa04fc1a6d6d36de378600be5ee2b67effa7c542bfe38cb5cfe0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:42

Reported

2024-06-03 06:45

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yy0i4b27xJFVXSq.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_b48e317d598e7f7d26fb5e34a4ff260c_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\yy0i4b27xJFVXSq.exe

C:\Users\Admin\AppData\Local\Temp\yy0i4b27xJFVXSq.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\yy0i4b27xJFVXSq.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 6159b4943f07f62f248442cb3e44835f
SHA1 ca67dd03c06a8d50bb7be0f718cac3bd6b28a2a2
SHA256 3cd9d16b29c3155815d63112e5d848496c0a2d710b1d8bd9ee26973e5d61f930
SHA512 d8fb64eacdd9517f01a649ac859e174aac86e0a78cbdf9e4a9a0e1ad6491f97cebbeb1a7b3fbe7a577ed975d72afe48e7d2c1ec345ef083e3219bb551217c6c1

memory/2408-11-0x0000000000400000-0x000000000040D000-memory.dmp