Analysis Overview
SHA256
ab0f890a4d3ebd0611f77ff7018453eac882a131a815b68798f73ff45d5c4fa3
Threat Level: Shows suspicious behavior
The file 2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-08 20:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 20:33
Reported
2024-06-08 20:35
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2452 wrote to memory of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2452 wrote to memory of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2452 wrote to memory of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\cjnACliiHABoqMh.exe
| MD5 | 9c70e3e3fa178cd80940079b570667d5 |
| SHA1 | d7f8af9dfb0527bf92bc6198414dee2d56a5f0d9 |
| SHA256 | c74cfbaa3095aecb5a7f40ba2a052af25d2eb8aa6195ef5fb44098719fe2b973 |
| SHA512 | ea8710abf7941b60c9d15070fb040d65863927b1a158b8ac0db25d18884e11c80d9eea7c868fe0de8c5ddddd1b7ddf45b7ce828f25835ea10b77e96b4b8e16df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 20:33
Reported
2024-06-08 20:35
Platform
win10v2004-20240426-en
Max time kernel
95s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2324 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2324 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_490cc71f335c60d7e0655c8258dba016_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 943cdd802b2f6ef59efdb08624c42e60 |
| SHA1 | b686995f022711c56a81f10a771730871a9d83dd |
| SHA256 | a2cc877ead25628e93d41909f8f5cc1e2a1bd1e35df734d53655206c8e34d8d3 |
| SHA512 | 8f8b8e1d9a54926e67a23553820e7f9f20f895e40924ca003b0a1361eee5a627b201985456279b6d91239e8c8b5e0d8f5df1f824fdf047265fb098704ba918db |
C:\Users\Admin\AppData\Local\Temp\MxZmWNAGJX7ADo2.exe
| MD5 | fdfc604ac6340c19f4a59d8ee2610017 |
| SHA1 | 5397e6a29fde3a1856c1a06d17444b17f6b74cb7 |
| SHA256 | c6ad9dc281d1ab8fd6f75f5491c43a557612d022873d2e0edbae823dc7d02505 |
| SHA512 | d7224a7972b53286d0ebab0c48cc39f832363772d5d43ccd6fdeee9e282db3cc13af5ff8d2cc6ecb84e6c9e926141d4074507b30a8f799054d4d70fd49211492 |