Malware Analysis Report

2024-11-13 14:28

Sample ID 240604-aqhllaef2w
Target 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware
SHA256 24cf61fc1f05c71abba8bba768cd57e1923aa612c787c9b7b7525158473b1c25
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

24cf61fc1f05c71abba8bba768cd57e1923aa612c787c9b7b7525158473b1c25

Threat Level: Shows suspicious behavior

The file 2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:24

Reported

2024-06-04 00:27

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\1WJD4CUT0yCSHtb.exe

MD5 b40391c0be3f8276c7a950b7a81de552
SHA1 98719fca196f8a20556fa22e34f9fdd4d5d72fd4
SHA256 3ba3c19b3cdb92c7fc16d36abe075c49c7f801de7867c99c51d34d42597ac08b
SHA512 df82ea8fd606cb9636daa014026bd596eb7e745b60655971772cda5bc1517abda3d3dc5c6b415e02ac2883d49df6f0224af4d7d6cf90cf4a4a83c2eb73b80ad2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:24

Reported

2024-06-04 00:27

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5fff1872ff95d09e59f17f44020f88e7_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 d60f11cfc6761bdc3db0b904ede8c3e2
SHA1 e11b7e723cf63d2475131bfcbf46a177e0c4728c
SHA256 33b6781e804a30216d6155b2c6cbfb0bc538cd14adc548e0e95ef4a178ce52ec
SHA512 6c89a7c29b1d25f7f55d92af0e819365d153b74803c89c7cbba0248956a10e6da9c94b64b21215a8efb5dee3e7b953d1fb90a4cca66d3e5eaf85cf299cfb2965

C:\Users\Admin\AppData\Local\Temp\MQBbJsBwdwRItrJ.exe

MD5 eda76a744b262248ac7bf5b070c949b8
SHA1 d7b68794dc1c353919cad40f2138252ab3d81e53
SHA256 9cec0460de8127b6b7e6c687b9bf3f53d61a6bb52e740f01e7e3c2c8998369eb
SHA512 c2c893717fc5cd9d1c822e381ab9bf080506920b109f6e252d950ac07303de3107d671528d133ade7330db0bb90c75e99b08fb238a460d59d96b4b5e24640106