Analysis Overview
SHA256
06d6584f45c5204cf03d122f344f333b8a0562872a3dc1ad9260d4595ca605c5
Threat Level: Shows suspicious behavior
The file 2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:49
Reported
2024-06-04 00:52
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2888 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2888 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2888 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2888 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\JuEGxPsKv6fl0Fy.exe
| MD5 | 1d749ab21309f18dcd4409daf60f477e |
| SHA1 | 3bb45b3a15750ed4c7b22a0b46d88571fa46a546 |
| SHA256 | 4c0176766c12980eed973f3408b9b55a36f181e86bdb6b7d5f0b2a00ada9d81c |
| SHA512 | 81345697296aa69228d4a04782ccbfc025ac27ba29aacf95ca3208b605c05fd5f3214b3d7dae3a62ee37e8bd92d213c01c9ac1efe67294413e01954960b32432 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:49
Reported
2024-06-04 00:52
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4800 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4800 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4800 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4604,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 97bfd814f0f1f26d5004e9d0ec1c1525 |
| SHA1 | ffdafdc6931b4793f678d2a6641f7a0bf39c147a |
| SHA256 | d6f4769042940c40da5ed3fb5d943ae07c733f5594291d6a7a5f61ddd1833618 |
| SHA512 | 85ab141eb76ee006699cd6d42db1dd809a98e80d3f6defd1c213501d2afc20114089d35cbd8a59044b0b329b7fa35e5919cc347c76317392dd2ddb21bc05ecd5 |
C:\Users\Admin\AppData\Local\Temp\6KP7BEPXN1hJuxa.exe
| MD5 | eb6e6e8eede8917ac7635e58800412cc |
| SHA1 | e1b940548e4b903fb466a2926c6f7691956a774a |
| SHA256 | ad074e25969b956b25f1b58b7342831649bdefb48a6157609bbe8bf96668c295 |
| SHA512 | da3ec78b165d759b4e9d94b81e9dbefc71ce4216fe5c33fd84d8a56d48d05c3f60660b259555c90a423ac289860dd011693b3415d23735e26acb028a9fa5bc92 |