Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wnac4awcqj
Target 2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware
SHA256 ef1f172c0354bde12b7af5d2a3f38200d83418b511e791590d0a0ed28931f81d
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ef1f172c0354bde12b7af5d2a3f38200d83418b511e791590d0a0ed28931f81d

Threat Level: Shows suspicious behavior

The file 2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:03

Reported

2024-06-11 18:06

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFVpTyMJr7QmrYa.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\NFVpTyMJr7QmrYa.exe

C:\Users\Admin\AppData\Local\Temp\NFVpTyMJr7QmrYa.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\NFVpTyMJr7QmrYa.exe

MD5 ec5e7403f86990ab23caeeb4955f5ffb
SHA1 c345479d6dc53a102ccb05259c0c858a1ddd7d8e
SHA256 352df104254095ddf925514d99bfb5411c95b5386e90caf06557979f82e16844
SHA512 679957452967a3d3f3f1c55a9a510befa2d31e3bdb825a76540e845667f61775f4d18c3b3493133dd671b380907aaae0dd380b95729a448acf48d95ca0fe5206

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 18:03

Reported

2024-06-11 18:06

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OLUPLp6P2xjbqhE.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_212cc02e286e8fb6cdb6b0f29ff9a729_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\OLUPLp6P2xjbqhE.exe

C:\Users\Admin\AppData\Local\Temp\OLUPLp6P2xjbqhE.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:8

Network

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\OLUPLp6P2xjbqhE.exe

MD5 ec5e7403f86990ab23caeeb4955f5ffb
SHA1 c345479d6dc53a102ccb05259c0c858a1ddd7d8e
SHA256 352df104254095ddf925514d99bfb5411c95b5386e90caf06557979f82e16844
SHA512 679957452967a3d3f3f1c55a9a510befa2d31e3bdb825a76540e845667f61775f4d18c3b3493133dd671b380907aaae0dd380b95729a448acf48d95ca0fe5206

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 0f7f86a84658374dc6343c57a83286ce
SHA1 fb6a4e392c4baafb53693e01580b6a49af55ff5c
SHA256 7db21555b64c9b855a4821685b8d5e2f37141983363f3a305e8edbdd4a5942bc
SHA512 df3032574185d3df0cd2cc909b41338169743380017fe7d97df40c757f613e6973b31f2b253ac905dbbdb904a8e7d7535bfd8cc44cd01d1484461dffdcd04f76