Malware Analysis Report

2024-11-30 06:11

Sample ID 240612-r2tlnsyeja
Target 2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware
SHA256 cea8457cf83420c20d47290e0527895f0c572d68527ad2e0011e1e64827e40ba
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cea8457cf83420c20d47290e0527895f0c572d68527ad2e0011e1e64827e40ba

Threat Level: Shows suspicious behavior

The file 2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\9lX0HaFv8UEbRRg.exe

MD5 a28180b3da6b4878cfceff21f5e1484b
SHA1 deb4642be300e0f665fba73c86f49f9f896deedc
SHA256 2d3d47edd10febb1d7df2e8b858eb59f11e9c5d30f444df64cae7f8d860d88ee
SHA512 0f885c1461ddf1d86037f5c2cb7be48ec9e72fce49ab1c9883e8b29dc0c7994e72e88d4f75b20a054f154fbaf1e180675e62f372b67c1f532bc7a32b12d5b5bf

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 b03b6832030712c8a8548971395c096d
SHA1 2ade28577a355a836f86d040e8449c3f402e2525
SHA256 bed1952f9342b9654dab71f4b109f0bde5f3df08ed13bc71f17366c897556bb7
SHA512 a4f1c546cdbe58a9169097deb8966f5cf7948d571671a68a350eddcb6cea56a005147a80eb60b65efc7032ed73f04bcb7b7ecb9922e47bef29082d2b1a7587a3

C:\Users\Admin\AppData\Local\Temp\5a96ioTSiMwv4Iv.exe

MD5 8890adb076704c4003ed7c9376ead293
SHA1 42cace7a4c0d12981345577d2f5b3c1093f21bd5
SHA256 87c18c571438afe98f843eb4445573a564d61783ac8fd2332f79cab1a384f6f0
SHA512 ff9961e3834ed79ec07baab3386fb81da870ac2bc641387d17849da1e8870949b7b3c6033e7cceb4e0a8e6a5a0c099670812d78f3420e141f91a6455ff8d2bef