Analysis Overview
SHA256
b0c12ac6700ed13dd70a09c67aad3559d3020c330fc71c9f3c53ecc9afdea98a
Threat Level: Shows suspicious behavior
The file 2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:26
Reported
2024-06-03 09:29
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2804 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2804 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2804 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\5Kp4xS1trS7tr6b.exe
| MD5 | bb6d497253ba049a62c2e816afae6b00 |
| SHA1 | 41bc4dcd476a0499314da3e02b93355b324e32c9 |
| SHA256 | ba6732bf07f8b9a958258fe0d73b15aea9c0ddfd09ba0a3c0506bff0fee0cccd |
| SHA512 | a8db70015d063dc5688dd7c104f50820f25c5cb4f2a8acda30e66f52c1c7a936b0e9d6a938a7b553c7b33640eb9e091f4238b0659e4d432d6d3e48875a3560df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 09:26
Reported
2024-06-03 09:29
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4416 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4416 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4416 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 0d8515b646df5568af9ebbde76ce47a6 |
| SHA1 | 887d62b947ab9e9d69d6af832b163e165a659b2c |
| SHA256 | b8f20fc9ed2ae07f25b775eb5afebc12fe188317008d451703774142b39c0dcf |
| SHA512 | 4b02ad5f7a952d60603fea22662a2e7b42d3a476cf1559708dc0e70d9cd8a9d9ca6faa98550983274f9b979433b3375bac6859b342d9c74106ccbb705feaf2cd |
C:\Users\Admin\AppData\Local\Temp\CebFuOpU7cx9Klf.exe
| MD5 | e617000fbc466207295ff6d9d10ef922 |
| SHA1 | ad1beaa2fc9f07dd9d9cba930ca1766bba5aae16 |
| SHA256 | 9f9906dcbe562a433a07bb7573a9b858ce502bca9356a3b1dd0898dbdd5a2719 |
| SHA512 | 525a88dd2bb9c8f683f24376044fa6dc6d6fe93e8f13757cb8eec88f9d39c82953c9593f65466a04f5be9fa905f729958662da84145d9987d559a43777a0637c |