Malware Analysis Report

2025-08-06 00:46

Sample ID 240608-ze6aysfh7v
Target 2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware
SHA256 03db67dd35edc3e7b1f8576b329dc16c573b2bab31e232cdea24d501e02f67f8
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

03db67dd35edc3e7b1f8576b329dc16c573b2bab31e232cdea24d501e02f67f8

Threat Level: Shows suspicious behavior

The file 2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-08 20:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 20:38

Reported

2024-06-08 20:41

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\i8j2RHv6Iq7qI7Z.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\i8j2RHv6Iq7qI7Z.exe

C:\Users\Admin\AppData\Local\Temp\i8j2RHv6Iq7qI7Z.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\i8j2RHv6Iq7qI7Z.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

memory/2180-15-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i8j2RHv6Iq7qI7Z.exe

MD5 336aa899be3363ae4ed87f2a2f1826b5
SHA1 918af21564152610ea6fd4d09bb823d1b1ab0fec
SHA256 93f23b8b65366ef6a7a841083f17363f5e5545d5b2a5e06cf603330655181662
SHA512 ee6582b9c808c1022299328386cf48611acacfbd1a774a2bf96c3b9727d6beb1db396416629145e4ed9e34abd63c91372312e2b948d809dcfac3471374930ce6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 20:38

Reported

2024-06-08 20:41

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DqQBwMbdaE8d2HW.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7ea7d9e934a8ddeb8dfd377f3d0c9131_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\DqQBwMbdaE8d2HW.exe

C:\Users\Admin\AppData\Local\Temp\DqQBwMbdaE8d2HW.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 168.83.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\DqQBwMbdaE8d2HW.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

memory/64-9-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a13b15cf718cdea621f2a2e31256f706
SHA1 6062afba07d0f07d7d09ce149a181d178d8d4f2e
SHA256 6ecfcbc0b996503404cd0099fd29d44f7cab858b84e58fd5d2648febf1b9a889
SHA512 360b8582d76637826dc1665cae2982ff31ccbcd50e3fa447a8e8b074f5523b09f231a3365305acc2b5a925bf128c6788fb724c13321d6b556c79c4d5110720c4