Malware Analysis Report

2024-11-15 06:41

Sample ID 240603-lg71nsbd65
Target 2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware
SHA256 2d5736e6f39945d5f06223a6c75e9103f6ede7702890bf2496e5c8fa982350a7
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2d5736e6f39945d5f06223a6c75e9103f6ede7702890bf2496e5c8fa982350a7

Threat Level: Shows suspicious behavior

The file 2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:31

Reported

2024-06-03 09:33

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\1nlzRre5bBFf3EE.exe

MD5 f8660f03ea5bce6bbbac04fe7133ab6e
SHA1 2b771621bad315216d1c44fc834b555a650ebcc0
SHA256 768b6b7801693ff0dac25eaf673b1e536c328951e552089dd0ee0eeb10579ae3
SHA512 0b644c186fa45c45706b28016ca75fc92562efdce010d9dc7450e8743bc82360a48de115c59132ea1e023d044c41e0484032f98292ef5ff34d97b17119c5ef9b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:31

Reported

2024-06-03 09:33

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_364e0b86d674ba928843dadc91e7dad5_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 d9406c7d377145a44e5624813c6f4bd0
SHA1 6b560d0843793c08ae54396e15f54e21699bb565
SHA256 8235d2948df383380676a815a8315f20dd791118c329a1122b8e0351e1cb059e
SHA512 5c68c1f4f8453035d92112d97b7002bcaadca944ec59e719032ab92d82e4ab74dd6ce1ed1dbf3e2f4cef1419aa10b6a69daeaea85e438ee8ecc2a4f75da656bf

C:\Users\Admin\AppData\Local\Temp\XLgKq16ju0jWInM.exe

MD5 43a46f42250240a11aa7619f4d0f1039
SHA1 5ce6874f9e4b3ff89ab3ba1952a3680148135429
SHA256 1d6d7144127d635c0edc6332185667480cbd64ebd4bcc279e9ecbd9b82a3777e
SHA512 550f063d40b1446b114d43285a51bfaa229a5e0960c57425ccd4b768257ff16843ded3f5e6dd08b4670a87ff82666ffa0e672500fcd47ae5674295a62a61054a