Malware Analysis Report

2024-11-30 06:32

Sample ID 240612-r1sb8asdnk
Target 2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware
SHA256 e81a2a29df897a30fafc879a18fb42f8a2019d7d5daf41925ee1920002d812a9
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e81a2a29df897a30fafc879a18fb42f8a2019d7d5daf41925ee1920002d812a9

Threat Level: Shows suspicious behavior

The file 2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:39

Reported

2024-06-12 14:42

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13X2Bql5vwqldKF.exe N/A
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\13X2Bql5vwqldKF.exe

C:\Users\Admin\AppData\Local\Temp\13X2Bql5vwqldKF.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\13X2Bql5vwqldKF.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

memory/2356-15-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13X2Bql5vwqldKF.exe

MD5 ce6070b92cc1191c05b8b44422efa440
SHA1 7e5e5e52e15117eb4c90481a7e6479f81cf36f1b
SHA256 b88dc9ff79441829d3aa746aee09af779255d17c7e52f3d265dc5ebcf5285a21
SHA512 6ed364784b103d301be23a0937d0bfc82dab25b55e9f5f6bd16bb9810d40698cb0acdaa0ff7c1217ed1aa2bfb014ee823ccf0be2691e7e05796648643b8cbf41

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:39

Reported

2024-06-12 14:42

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nljdmVGmhrffbgE.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5567ea406c6fd92642f2ad36d755e768_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\nljdmVGmhrffbgE.exe

C:\Users\Admin\AppData\Local\Temp\nljdmVGmhrffbgE.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nljdmVGmhrffbgE.exe

MD5 abbd49c180a2f8703f6306d6fa731fdc
SHA1 d63f4bfe7f74936b2fbace803e3da6103fbf6586
SHA256 5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1
SHA512 290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 dad8c33104e1cd4cbd9a9ff3ef3b952c
SHA1 c123e894041879a98fe936b7386227b32f3a320b
SHA256 a787af28290c94e0682c3767431f6671afda8811dd2a7b28a83812992e427089
SHA512 a26c38393cd4bc18b359f9247d9d310f89453bc17dca06ca50d490ce02463e8c90c7c1ddb11d9237b41bf9f5be9e70e6a22b91766edd14599b98019a93070784

memory/1448-12-0x0000000000400000-0x000000000040D000-memory.dmp