Analysis Overview
SHA256
04c56b9ff809aaef4afafe40c233fa1f9264b9783216e76c1311528651f706af
Threat Level: Shows suspicious behavior
The file 2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:34
Reported
2024-06-09 07:37
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2256 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2256 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2256 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2256 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\8KQXxldKxlDmrq2.exe
| MD5 | e3d43aeb96db1f81d07586647c3a5ee2 |
| SHA1 | 60791e9ad0a48ba846a18ddb38faaa6cf78d1ab1 |
| SHA256 | 34ffd65b7294528fb8327bcab8010755f5258c340319a909b0f171f95f5760de |
| SHA512 | a230f8a5d3283b9d9c46db2c31dfaffca889832d578407ad62791bd4352fe64a4d917247822130f6062e43e9c22cc5162da6f6cffcdca86e38d22ac362fe6138 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 07:34
Reported
2024-06-09 07:37
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1192 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1192 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | a2cb39f7f05c0026c5c15c557b542510 |
| SHA1 | 0f2363a80ccaab74676b1e2a02fda906775c62ab |
| SHA256 | 11b0fd4c1d5914b8f8a6b89150d4c2a88290d10a592ae36cceae54038fa0fb33 |
| SHA512 | a19d99a48b8b11cbdb6cd4cc1a9a5435c2dd9907e124e61cc07b590c001d0d1247089fc928323d5e02ff62eb10fd06edafa99cdb624c0d6e042b252a2b33841f |
C:\Users\Admin\AppData\Local\Temp\7DyZlddg3KulNwS.exe
| MD5 | 3afc8ad34d6422a1a987e76a11ba47f0 |
| SHA1 | 1bbbe728f732da1021ee798d3a2184ca8e408f45 |
| SHA256 | 93a5921ad895900c1fe8c386d5e4fc6cc1fcf34a0046d08c689ebcde32c854df |
| SHA512 | 93cc41fac320c160678656ad0a544bf1df7153fee8fc43afce64826ffe48c7141e7b4d338440fb0a527adef9855fee8308ed073d5640b51bb3b553c13094ff8d |