Malware Analysis Report

2024-11-30 07:13

Sample ID 240603-hmg5nafc9z
Target 2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware
SHA256 97bfea76db6fd72e3bdd0b6317b5011555f53b96ff2bb63f2dc9147c0b8a5660
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

97bfea76db6fd72e3bdd0b6317b5011555f53b96ff2bb63f2dc9147c0b8a5660

Threat Level: Shows suspicious behavior

The file 2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:51

Reported

2024-06-03 06:53

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\f88ALwqLU9nR9de.exe

MD5 6020441303accaf0593b6aae740e094e
SHA1 58e54c8653be9837c1850f04dd8d0a72a193ebd7
SHA256 8441863f2af6ec07e7e914ab3d2ffd86a12350df4ef3e5ea94d8d0f78d377db4
SHA512 c07103f9b05008b6fe325d9f56b2654d9f481c87898fedd5619dcdf920ad3206b67c66fd104f90d305521d3fab2b976b709f070b4cc2caefc120560119771269

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:51

Reported

2024-06-03 06:53

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ff0cc1c9dbe2c469827a10ac651504b6_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 0c7fc6ebf1d5cb9c9a63b67e90f09dff
SHA1 354014756847d984e69a06f0dc988207ba561510
SHA256 f2bd3e32ff92b973cf53dc3e6b3e6f5ae77f4f79bcb25ed8a614e98075e8a58a
SHA512 37ca89e4a81a18e375e3d155c0a07a15e49fc5070204ce6f44e90960e5c4a820da995af36c56a737c74d83fbd5498207565439bb3d7928b6f0150f73541380a9

C:\Users\Admin\AppData\Local\Temp\1AVSnT8AdXMse8t.exe

MD5 0863aef03ea4def73c5637c707831cc5
SHA1 1301ab20ec29ad317f61c93584775d5ed8eaeb74
SHA256 94bddf7d6ce7d9045b854d21e7b6eeeade539a31c9d13733a5feef5c8fd63860
SHA512 fea69b873f95fc2842cd03b7baedda0436feb0cceda6f343cb2999bf910fca282e1d8f44fc8c93f6f08418829b614ab6b915e13aad11df51ac957374b1978a30