Malware Analysis Report

2024-11-15 06:41

Sample ID 240603-lgbbpsbd28
Target 2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware
SHA256 7ad69e79d3fa46aab84ecec563eca22611b4ac81e52967cfc1b87d4e3044a21e
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7ad69e79d3fa46aab84ecec563eca22611b4ac81e52967cfc1b87d4e3044a21e

Threat Level: Shows suspicious behavior

The file 2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:29

Reported

2024-06-03 09:32

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CYYr7cQfRnnrwAw.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\CYYr7cQfRnnrwAw.exe

C:\Users\Admin\AppData\Local\Temp\CYYr7cQfRnnrwAw.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

memory/1752-15-0x0000000000400000-0x000000000040D000-memory.dmp

\Users\Admin\AppData\Local\Temp\CYYr7cQfRnnrwAw.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Users\Admin\AppData\Local\Temp\CYYr7cQfRnnrwAw.exe

MD5 357e685f534ad6bbf22bfb9766733324
SHA1 eac21f61dcc4384f0c1fa9ee3663b23321ae11ed
SHA256 9daea149ee8edf1d29e1195dc7a9d71041dac16828957a086e421ad8d3ea595e
SHA512 4b924d5db0b3da1d37765b07e50e7ad75b5a99ad5de82b42d754b2d9770e5bd5b5fd7a7f36a736cdaec143959cf640802d0452c928b00630de8a55333b64d01e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:29

Reported

2024-06-03 09:32

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\M2cTnsyzwjodubt.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_1e138ba27e069eebe7d994fb51386e90_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\M2cTnsyzwjodubt.exe

C:\Users\Admin\AppData\Local\Temp\M2cTnsyzwjodubt.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\M2cTnsyzwjodubt.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

memory/2308-9-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 65d58309fdf1dd5c23d590cf5e012f12
SHA1 cfed61bf9caf94eeeffb40d6b78dbdd908237f35
SHA256 6185f08680801e8925364088c48d6a7d2462dfa1f030aefd45e5d2c590bfc580
SHA512 ab3c2b37650a33110d38bef001afcc5439725930f4a29699372cc96a10857aadefd7878b9585ffea6787281b4ba69661ab7d246c6910412f040141a89db5d05b