Malware Analysis Report

2024-11-15 06:40

Sample ID 240603-leddaaaa7w
Target 2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware
SHA256 b0c12ac6700ed13dd70a09c67aad3559d3020c330fc71c9f3c53ecc9afdea98a
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b0c12ac6700ed13dd70a09c67aad3559d3020c330fc71c9f3c53ecc9afdea98a

Threat Level: Shows suspicious behavior

The file 2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:26

Reported

2024-06-03 09:29

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\5Kp4xS1trS7tr6b.exe

MD5 bb6d497253ba049a62c2e816afae6b00
SHA1 41bc4dcd476a0499314da3e02b93355b324e32c9
SHA256 ba6732bf07f8b9a958258fe0d73b15aea9c0ddfd09ba0a3c0506bff0fee0cccd
SHA512 a8db70015d063dc5688dd7c104f50820f25c5cb4f2a8acda30e66f52c1c7a936b0e9d6a938a7b553c7b33640eb9e091f4238b0659e4d432d6d3e48875a3560df

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:26

Reported

2024-06-03 09:29

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_02f6b237cd741d9110ee2cbfc1a2714f_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 0d8515b646df5568af9ebbde76ce47a6
SHA1 887d62b947ab9e9d69d6af832b163e165a659b2c
SHA256 b8f20fc9ed2ae07f25b775eb5afebc12fe188317008d451703774142b39c0dcf
SHA512 4b02ad5f7a952d60603fea22662a2e7b42d3a476cf1559708dc0e70d9cd8a9d9ca6faa98550983274f9b979433b3375bac6859b342d9c74106ccbb705feaf2cd

C:\Users\Admin\AppData\Local\Temp\CebFuOpU7cx9Klf.exe

MD5 e617000fbc466207295ff6d9d10ef922
SHA1 ad1beaa2fc9f07dd9d9cba930ca1766bba5aae16
SHA256 9f9906dcbe562a433a07bb7573a9b858ce502bca9356a3b1dd0898dbdd5a2719
SHA512 525a88dd2bb9c8f683f24376044fa6dc6d6fe93e8f13757cb8eec88f9d39c82953c9593f65466a04f5be9fa905f729958662da84145d9987d559a43777a0637c