Malware Analysis Report

2024-11-30 07:20

Sample ID 240603-hjdcasfb7y
Target 2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware
SHA256 cc5e209c47f931d3004d19755b26b21686344b86f26976a2a9cf87592b2dee32
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cc5e209c47f931d3004d19755b26b21686344b86f26976a2a9cf87592b2dee32

Threat Level: Shows suspicious behavior

The file 2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:45

Reported

2024-06-03 06:48

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\m5qLdRgRBqIsFVn.exe

MD5 f7d109802e606a2e5613b82ee9a36e35
SHA1 c94033de9feecfddaad6ed69e2ce89b566158fe3
SHA256 b42ba98b0eb01066516aac12ade7249ac42eb0299c12ed42f56939ce164c0fee
SHA512 d68002581b559ff65b5b7a0e22fd7f7a60437b4c8cf14c03490484ff0957bfd308a3ed4e48beebc68074b114404ded14c8b22dda6f1d2c1799a7d0d8abb39c6d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:45

Reported

2024-06-03 06:48

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_cb199b8116cf37150da76f327a3b423e_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 8c5fad72a995c8ad3f688e1d7ec31562
SHA1 6c6a967377bb2a737fe0572634cc860b4db79b83
SHA256 8966d5fc19ae20bad4654c511fc89d2ed951dccf3473e354b36ff07d67c2887f
SHA512 fa256b9fc47f8229da62b01d92a39b08c440c4dd8e691121057d2ad176a06757d224d232d92e571cb0064b0892ca99fdb10d9ef812fb88e7f130ac51a45fae55

C:\Users\Admin\AppData\Local\Temp\Ks7SOS2gYx2J7gI.exe

MD5 c9e42f8a978dff765e9f5cfc023dfd4e
SHA1 6909eae5d34fb7306dc9f15b4bc00a72a10bcabf
SHA256 4943547c67ee378c4011576fd4b01aa1da68284d2519266080454e4bc5e3528d
SHA512 fa5cab51c12262d4f52df445427d6b6d15f52f907fcc485c9cb1850fc95e1f1cfc39910e8e9a9eb1ed094d083aa8a095bbb424adf1e64df9182deedb88e5362b