Analysis Overview
SHA256
08564def6f60d4abf5c52eb0c6136edc989d23d315dedea2fba9592fce938daa
Threat Level: Shows suspicious behavior
The file 2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-08 20:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 20:30
Reported
2024-06-08 20:38
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2972 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2972 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 54be80e502b47ad9464dbcca4e55248a |
| SHA1 | 2c21601f1ad47c5ad8b1fb7632e7b4c8f884b3b1 |
| SHA256 | 02e16e50aea04b40707c691c4de9836b0bbdf94aba1ca44ad0ef296dfd0f5f6b |
| SHA512 | 75830f991b4e2cab8acb8f57472e86e117cae57425b6eed3fdb54e331621c9e3b0615be6fb2be8a49a7d92e0ab6ac0db2db74ab8fd91d43e3cebd3601dc49693 |
C:\Users\Admin\AppData\Local\Temp\61xgIojPh0E5foQ.exe
| MD5 | 26c0e40729470bafbf964bdbcae1137a |
| SHA1 | 1f371ad7fdc4b81aab41c82d70e95255aaa8f365 |
| SHA256 | dc309532082bf4376c10e22634f764187fdd7634cdced5720e6dcb4f3f1f4bbd |
| SHA512 | ff889d57e2ada8ea80d642edca3bc72b13f361db82619d8ea932a4acd57555e53e0fe6afdaf36319b5a2f015133fc90bb945562814f3324414beaf92d9351970 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 20:30
Reported
2024-06-08 20:38
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 868 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 868 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 868 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 868 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\CinyRPW5E9IwojM.exe
| MD5 | 4dcec04d36da5973be17e02d6ce316d1 |
| SHA1 | 1f304d17190623073d3b9b866a6787a29d0bed56 |
| SHA256 | b90c66895aae4d0dfd775c0e41d2f29668b140d776c30dc4803169d337819c5a |
| SHA512 | 936c57af8e54a2c30cf8a357d70823f0ab1605ad7c16b4017be79384c892406c25b272718afd46a81783d27df9584dc16e0879bdede1a4d457189cc7141f848c |