Malware Analysis Report

2024-11-30 07:13

Sample ID 240603-hlem5sfc7s
Target 2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware
SHA256 333fe47ab24ddeb05c85270084b42799c34c61f48c690814b2d44e4cf825e224
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

333fe47ab24ddeb05c85270084b42799c34c61f48c690814b2d44e4cf825e224

Threat Level: Shows suspicious behavior

The file 2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:49

Reported

2024-06-03 06:51

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\XVosSWrN76PRsBC.exe

MD5 df9b73f6750abfde168b178357997a57
SHA1 fe451c41391dec65a0c2431bb4e27dd9fab343b3
SHA256 5594e8608ab59cb651f0fa9a1eb747f25c469b16ce5f9099f417f4d877ecf170
SHA512 8a2fbb9faeb34dc16a08cdb25c40644ee1378f7f2dfb74e33f53c631b30fdc3026e92f3e132d22b91515fef602563211639cbe9257f40e7ad52ddfbd5d157910

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:49

Reported

2024-06-03 06:51

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f48cc34a56af6db153fc1c29a0dab89f_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a9abcf7c2b683d2b436612855b38c47a
SHA1 b04ccf6b326c4854feb81d8484dd4c4a2b7323eb
SHA256 503ee2d79da8a5b94f6d957e83331b29b40c4ac4381fa69ce1b2a73f76912e1d
SHA512 cc6aa6011958672520b68c75cec83aa659eef70a3be944b4579558451dd59db947c0a0b058c9a2cc9d261196bf3fb56c6e166a6e560fc3263aec4fc27f80e13a

C:\Users\Admin\AppData\Local\Temp\mANA2oul3LGYSbo.exe

MD5 9f0ababa635fa376d4c1cdb0afa22a89
SHA1 1451e575ceaf120472bab87930b29ccaa3f3738c
SHA256 622f4483b2a4194ded5f058797a451232dfc654b22b329561669246b56d032e8
SHA512 41c1d6f3b7a951f9c6ea30f7fbda1e13e92f3448d7be7eacfbb581d4ef19e9505eb21d12be6f19be442927e901e3f48d2bb885748b32ebc9d25179d5415912fe