Analysis Overview
SHA256
24cf61fc1f05c71abba8bba768cd57e1923aa612c787c9b7b7525158473b1c25
Threat Level: Shows suspicious behavior
The file 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:24
Reported
2024-06-04 00:27
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2756 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2756 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2756 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2756 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\1WJD4CUT0yCSHtb.exe
| MD5 | b40391c0be3f8276c7a950b7a81de552 |
| SHA1 | 98719fca196f8a20556fa22e34f9fdd4d5d72fd4 |
| SHA256 | 3ba3c19b3cdb92c7fc16d36abe075c49c7f801de7867c99c51d34d42597ac08b |
| SHA512 | df82ea8fd606cb9636daa014026bd596eb7e745b60655971772cda5bc1517abda3d3dc5c6b415e02ac2883d49df6f0224af4d7d6cf90cf4a4a83c2eb73b80ad2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:24
Reported
2024-06-04 00:27
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
103s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 848 wrote to memory of 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | C:\Windows\CTS.exe |
| PID 848 wrote to memory of 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | C:\Windows\CTS.exe |
| PID 848 wrote to memory of 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | d60f11cfc6761bdc3db0b904ede8c3e2 |
| SHA1 | e11b7e723cf63d2475131bfcbf46a177e0c4728c |
| SHA256 | 33b6781e804a30216d6155b2c6cbfb0bc538cd14adc548e0e95ef4a178ce52ec |
| SHA512 | 6c89a7c29b1d25f7f55d92af0e819365d153b74803c89c7cbba0248956a10e6da9c94b64b21215a8efb5dee3e7b953d1fb90a4cca66d3e5eaf85cf299cfb2965 |
C:\Users\Admin\AppData\Local\Temp\MQBbJsBwdwRItrJ.exe
| MD5 | eda76a744b262248ac7bf5b070c949b8 |
| SHA1 | d7b68794dc1c353919cad40f2138252ab3d81e53 |
| SHA256 | 9cec0460de8127b6b7e6c687b9bf3f53d61a6bb52e740f01e7e3c2c8998369eb |
| SHA512 | c2c893717fc5cd9d1c822e381ab9bf080506920b109f6e252d950ac07303de3107d671528d133ade7330db0bb90c75e99b08fb238a460d59d96b4b5e24640106 |