Malware Analysis Report

2025-04-14 04:17

Sample ID 240609-jeha5aff6w
Target 2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware
SHA256 04c56b9ff809aaef4afafe40c233fa1f9264b9783216e76c1311528651f706af
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

04c56b9ff809aaef4afafe40c233fa1f9264b9783216e76c1311528651f706af

Threat Level: Shows suspicious behavior

The file 2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 07:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 07:34

Reported

2024-06-09 07:37

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\8KQXxldKxlDmrq2.exe

MD5 e3d43aeb96db1f81d07586647c3a5ee2
SHA1 60791e9ad0a48ba846a18ddb38faaa6cf78d1ab1
SHA256 34ffd65b7294528fb8327bcab8010755f5258c340319a909b0f171f95f5760de
SHA512 a230f8a5d3283b9d9c46db2c31dfaffca889832d578407ad62791bd4352fe64a4d917247822130f6062e43e9c22cc5162da6f6cffcdca86e38d22ac362fe6138

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 07:34

Reported

2024-06-09 07:37

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a2cb39f7f05c0026c5c15c557b542510
SHA1 0f2363a80ccaab74676b1e2a02fda906775c62ab
SHA256 11b0fd4c1d5914b8f8a6b89150d4c2a88290d10a592ae36cceae54038fa0fb33
SHA512 a19d99a48b8b11cbdb6cd4cc1a9a5435c2dd9907e124e61cc07b590c001d0d1247089fc928323d5e02ff62eb10fd06edafa99cdb624c0d6e042b252a2b33841f

C:\Users\Admin\AppData\Local\Temp\7DyZlddg3KulNwS.exe

MD5 3afc8ad34d6422a1a987e76a11ba47f0
SHA1 1bbbe728f732da1021ee798d3a2184ca8e408f45
SHA256 93a5921ad895900c1fe8c386d5e4fc6cc1fcf34a0046d08c689ebcde32c854df
SHA512 93cc41fac320c160678656ad0a544bf1df7153fee8fc43afce64826ffe48c7141e7b4d338440fb0a527adef9855fee8308ed073d5640b51bb3b553c13094ff8d