Malware Analysis Report

2025-08-06 00:46

Sample ID 240608-zafjqsge67
Target 2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware
SHA256 08564def6f60d4abf5c52eb0c6136edc989d23d315dedea2fba9592fce938daa
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

08564def6f60d4abf5c52eb0c6136edc989d23d315dedea2fba9592fce938daa

Threat Level: Shows suspicious behavior

The file 2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-08 20:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 20:30

Reported

2024-06-08 20:38

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 54be80e502b47ad9464dbcca4e55248a
SHA1 2c21601f1ad47c5ad8b1fb7632e7b4c8f884b3b1
SHA256 02e16e50aea04b40707c691c4de9836b0bbdf94aba1ca44ad0ef296dfd0f5f6b
SHA512 75830f991b4e2cab8acb8f57472e86e117cae57425b6eed3fdb54e331621c9e3b0615be6fb2be8a49a7d92e0ab6ac0db2db74ab8fd91d43e3cebd3601dc49693

C:\Users\Admin\AppData\Local\Temp\61xgIojPh0E5foQ.exe

MD5 26c0e40729470bafbf964bdbcae1137a
SHA1 1f371ad7fdc4b81aab41c82d70e95255aaa8f365
SHA256 dc309532082bf4376c10e22634f764187fdd7634cdced5720e6dcb4f3f1f4bbd
SHA512 ff889d57e2ada8ea80d642edca3bc72b13f361db82619d8ea932a4acd57555e53e0fe6afdaf36319b5a2f015133fc90bb945562814f3324414beaf92d9351970

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 20:30

Reported

2024-06-08 20:38

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2815684073507e15c829f28b4a99e23a_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\CinyRPW5E9IwojM.exe

MD5 4dcec04d36da5973be17e02d6ce316d1
SHA1 1f304d17190623073d3b9b866a6787a29d0bed56
SHA256 b90c66895aae4d0dfd775c0e41d2f29668b140d776c30dc4803169d337819c5a
SHA512 936c57af8e54a2c30cf8a357d70823f0ab1605ad7c16b4017be79384c892406c25b272718afd46a81783d27df9584dc16e0879bdede1a4d457189cc7141f848c