Malware Analysis Report

2024-11-15 06:40

Sample ID 240603-lgzz3aab6t
Target 2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware
SHA256 3ce3210ade8bb1bc8281b764344310669f6582c14900970aa5d97876893fd08e
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3ce3210ade8bb1bc8281b764344310669f6582c14900970aa5d97876893fd08e

Threat Level: Shows suspicious behavior

The file 2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:30

Reported

2024-06-03 09:33

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\AqVKpp27m9KIvGl.exe

MD5 5b9e752f11a2f0e7b80c96313650ddad
SHA1 41c5364f97b32ceff0becc49702a56b60bf8645a
SHA256 fd428d85e21799bfcd24cfba1449866e971e6bff040d2907b21dba8bcb37f5c4
SHA512 19495cd2f8b23616d15822f26582849d2b12919d1cceac14c1c3513850a25a3a0648c7096728f03978d00750438034b5e6e4eb58e9a4adfd3b68fffc4c34e618

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:30

Reported

2024-06-03 09:33

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_3213c6175c2f1919a41d773c7d62d395_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a04cb62372e364d86da86176b1f898bc
SHA1 b66444e8c72356a18a9061bfc3c9520aaec7a3ab
SHA256 fb2cfb0c8c88a4afeed0864f58e04b1ca74635e3970c146c426f7e321cac3c9a
SHA512 fde929239d6a53d83154c0c15b88ceac8cb60879ec0638171ab16d718e8bcb646f53e26d8b2561346ebec82d00cdf54eb7a9e3ed2e4dbcc69333839cf906436f

C:\Users\Admin\AppData\Local\Temp\3HPWD7baALU7TcK.exe

MD5 397a82e14c3fff2b778685c4ec57aa5e
SHA1 b0c1e81175d1da4ecf73a98ddb7c2a365d4ac28c
SHA256 9da976d102d94e74ffbba2a18f0a25c044b0bac86e234a8f66e6eefa36f5ba5b
SHA512 c75bf5728bf6f95e55dd0c104369b60b9196935cb7506a8ece3c997efcdf7a32a3355e3cd645b9339e2c063d0d96b80eb6c0768b8122741174bdab2d4d71c9fb