Analysis Overview
SHA256
3ce3210ade8bb1bc8281b764344310669f6582c14900970aa5d97876893fd08e
Threat Level: Shows suspicious behavior
The file 2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:30
Reported
2024-06-03 09:33
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2180 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2180 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2180 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\AqVKpp27m9KIvGl.exe
| MD5 | 5b9e752f11a2f0e7b80c96313650ddad |
| SHA1 | 41c5364f97b32ceff0becc49702a56b60bf8645a |
| SHA256 | fd428d85e21799bfcd24cfba1449866e971e6bff040d2907b21dba8bcb37f5c4 |
| SHA512 | 19495cd2f8b23616d15822f26582849d2b12919d1cceac14c1c3513850a25a3a0648c7096728f03978d00750438034b5e6e4eb58e9a4adfd3b68fffc4c34e618 |
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 09:30
Reported
2024-06-03 09:33
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
97s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4844 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4844 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4844 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | a04cb62372e364d86da86176b1f898bc |
| SHA1 | b66444e8c72356a18a9061bfc3c9520aaec7a3ab |
| SHA256 | fb2cfb0c8c88a4afeed0864f58e04b1ca74635e3970c146c426f7e321cac3c9a |
| SHA512 | fde929239d6a53d83154c0c15b88ceac8cb60879ec0638171ab16d718e8bcb646f53e26d8b2561346ebec82d00cdf54eb7a9e3ed2e4dbcc69333839cf906436f |
C:\Users\Admin\AppData\Local\Temp\3HPWD7baALU7TcK.exe
| MD5 | 397a82e14c3fff2b778685c4ec57aa5e |
| SHA1 | b0c1e81175d1da4ecf73a98ddb7c2a365d4ac28c |
| SHA256 | 9da976d102d94e74ffbba2a18f0a25c044b0bac86e234a8f66e6eefa36f5ba5b |
| SHA512 | c75bf5728bf6f95e55dd0c104369b60b9196935cb7506a8ece3c997efcdf7a32a3355e3cd645b9339e2c063d0d96b80eb6c0768b8122741174bdab2d4d71c9fb |