Analysis Overview
SHA256
2d5736e6f39945d5f06223a6c75e9103f6ede7702890bf2496e5c8fa982350a7
Threat Level: Shows suspicious behavior
The file 2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:31
Reported
2024-06-03 09:33
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 948 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 948 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 948 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 948 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\1nlzRre5bBFf3EE.exe
| MD5 | f8660f03ea5bce6bbbac04fe7133ab6e |
| SHA1 | 2b771621bad315216d1c44fc834b555a650ebcc0 |
| SHA256 | 768b6b7801693ff0dac25eaf673b1e536c328951e552089dd0ee0eeb10579ae3 |
| SHA512 | 0b644c186fa45c45706b28016ca75fc92562efdce010d9dc7450e8743bc82360a48de115c59132ea1e023d044c41e0484032f98292ef5ff34d97b17119c5ef9b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 09:31
Reported
2024-06-03 09:33
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 400 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 400 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 400 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | d9406c7d377145a44e5624813c6f4bd0 |
| SHA1 | 6b560d0843793c08ae54396e15f54e21699bb565 |
| SHA256 | 8235d2948df383380676a815a8315f20dd791118c329a1122b8e0351e1cb059e |
| SHA512 | 5c68c1f4f8453035d92112d97b7002bcaadca944ec59e719032ab92d82e4ab74dd6ce1ed1dbf3e2f4cef1419aa10b6a69daeaea85e438ee8ecc2a4f75da656bf |
C:\Users\Admin\AppData\Local\Temp\XLgKq16ju0jWInM.exe
| MD5 | 43a46f42250240a11aa7619f4d0f1039 |
| SHA1 | 5ce6874f9e4b3ff89ab3ba1952a3680148135429 |
| SHA256 | 1d6d7144127d635c0edc6332185667480cbd64ebd4bcc279e9ecbd9b82a3777e |
| SHA512 | 550f063d40b1446b114d43285a51bfaa229a5e0960c57425ccd4b768257ff16843ded3f5e6dd08b4670a87ff82666ffa0e672500fcd47ae5674295a62a61054a |