Malware Analysis Report

2024-11-15 06:38

Sample ID 240604-a6j5csgb29
Target 2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware
SHA256 06d6584f45c5204cf03d122f344f333b8a0562872a3dc1ad9260d4595ca605c5
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

06d6584f45c5204cf03d122f344f333b8a0562872a3dc1ad9260d4595ca605c5

Threat Level: Shows suspicious behavior

The file 2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:49

Reported

2024-06-04 00:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\JuEGxPsKv6fl0Fy.exe

MD5 1d749ab21309f18dcd4409daf60f477e
SHA1 3bb45b3a15750ed4c7b22a0b46d88571fa46a546
SHA256 4c0176766c12980eed973f3408b9b55a36f181e86bdb6b7d5f0b2a00ada9d81c
SHA512 81345697296aa69228d4a04782ccbfc025ac27ba29aacf95ca3208b605c05fd5f3214b3d7dae3a62ee37e8bd92d213c01c9ac1efe67294413e01954960b32432

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:49

Reported

2024-06-04 00:52

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4604,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 97bfd814f0f1f26d5004e9d0ec1c1525
SHA1 ffdafdc6931b4793f678d2a6641f7a0bf39c147a
SHA256 d6f4769042940c40da5ed3fb5d943ae07c733f5594291d6a7a5f61ddd1833618
SHA512 85ab141eb76ee006699cd6d42db1dd809a98e80d3f6defd1c213501d2afc20114089d35cbd8a59044b0b329b7fa35e5919cc347c76317392dd2ddb21bc05ecd5

C:\Users\Admin\AppData\Local\Temp\6KP7BEPXN1hJuxa.exe

MD5 eb6e6e8eede8917ac7635e58800412cc
SHA1 e1b940548e4b903fb466a2926c6f7691956a774a
SHA256 ad074e25969b956b25f1b58b7342831649bdefb48a6157609bbe8bf96668c295
SHA512 da3ec78b165d759b4e9d94b81e9dbefc71ce4216fe5c33fd84d8a56d48d05c3f60660b259555c90a423ac289860dd011693b3415d23735e26acb028a9fa5bc92