Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wgrc2awbll
Target 2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware
SHA256 bfd18f72aab900840cc667f96449dbd01158970223ec1c25df9965ba1ad0b59d
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bfd18f72aab900840cc667f96449dbd01158970223ec1c25df9965ba1ad0b59d

Threat Level: Shows suspicious behavior

The file 2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:53

Reported

2024-06-11 17:56

Platform

win7-20240508-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\1JfwafEvokpQAbN.exe

MD5 893912ff0c0fdf6b37227ef8fe1be850
SHA1 354d5572c3e8061e54454546cc88174398324da1
SHA256 cd047dd6083c20858fb99d04c4ef822617b3ce75f5abc34044d0b0c84a6bac61
SHA512 0c73c1ed1b8c426482aba3dd4330bb1b402d07ddd8d93d93cb9eade9943c1d07ecd9b790dfb5b02f24523cdc160b70efa4f4a9d31c46305d156adab5e1586c26

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:53

Reported

2024-06-11 17:56

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_56c46bfa121fca06c1325981e6c13195_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 bf54e6a94aad67a4d3486b1a7b710005
SHA1 143028dea97021a7e0e73f1b13dba3bf3ed008f4
SHA256 03488e832d54c38ec26bbba20f52457998801f44c958ee428c0cce75564ad4ee
SHA512 daab54fbdab9cd1062f81d2032796ceb4a8b472c3791a69b8a56d33ea232dac10cb0441b4f6d533ec5b7ed80a27a5ade1f898b1a80fd570599bf4d47b10ecd60

C:\Users\Admin\AppData\Local\Temp\DYyOizMUpYD2WYB.exe

MD5 5d9b5f41943bf3ae7f7a98c388ee285c
SHA1 f1ea2c250e2dfff22c487ca41491ad9b89ecd64d
SHA256 42db6416458cb6cc4111287f7e8e26926766f3631227d22a4dcdc5cf116e8e18
SHA512 57ec57c2967c61b98007f71f3cfc56091bdaf216bdd3c324dbb6ba65de887247d8d5c15cf2a39ae83673f06b32fada2a3487aa894a5e06cfddb3f12e44d474f2