Malware Analysis Report

2024-11-15 06:14

Sample ID 240604-asmy4aef9x
Target 2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware
SHA256 9b72c3dc86282139d039f45ee6ce6ee546a7d9c209fb9ca4736c5b05774b3f3c
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9b72c3dc86282139d039f45ee6ce6ee546a7d9c209fb9ca4736c5b05774b3f3c

Threat Level: Shows suspicious behavior

The file 2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:28

Reported

2024-06-04 00:31

Platform

win7-20240220-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\egfBY8mWsh3Y1v9.exe

MD5 2650bf72fd6322776ee9bd69a0ed9a35
SHA1 cb53d30abdc132f383cef19738d9ed0729f91379
SHA256 df49a7093056889f531868a3b6af55fa6794462dabbe3b73165619f733e0f6fd
SHA512 af003ea421bdac0e811b9222a5356b1ecab3775b2f76407ec3f7fbe1065087134810ab7eb09188d0a998264fe1f489cb83ffbec021ee4ed885d47c128f96e9e3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:28

Reported

2024-06-04 00:31

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_9d907de961e3f0f14fe3da905c77122c_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 68fa0a26341c518ceb1f0d636332f2ee
SHA1 d3c518788a9e112ba74f1515b49d44d7f27ef091
SHA256 d7094c8cd68925514e57873c45d6ba5f6a73f7c148c961ad4de200b0dd376cf8
SHA512 05e9ac6e3ba0d958ca5850593035c7af52dc1ab61cba2d76043d02e541eb71fdb3ba693d0aab91d27e13adff356f135007b257fb313e469e81dd22e430203ba5

C:\Users\Admin\AppData\Local\Temp\yn9uBuKxK3AFeXa.exe

MD5 ca596862678afef21bbf23fc18842e51
SHA1 e06ee5064eec590dd5146c843beff7cc70b899bf
SHA256 446db7674e15efb1f9470f7900853d8332684ac27f892b6eb99753ac28e9b069
SHA512 ef8b50f5e5c4af926cb4b6165338245f4e63575527d7eabc0b6c904ce1b1f7aadbcb9c7e3ec54bc2b67ae6cfb03de66fa7227aceb89206d58f8aaca9046fdad1