Analysis Overview
SHA256
cea8457cf83420c20d47290e0527895f0c572d68527ad2e0011e1e64827e40ba
Threat Level: Shows suspicious behavior
The file 2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:41
Reported
2024-06-12 14:44
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2188 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2188 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2188 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\9lX0HaFv8UEbRRg.exe
| MD5 | a28180b3da6b4878cfceff21f5e1484b |
| SHA1 | deb4642be300e0f665fba73c86f49f9f896deedc |
| SHA256 | 2d3d47edd10febb1d7df2e8b858eb59f11e9c5d30f444df64cae7f8d860d88ee |
| SHA512 | 0f885c1461ddf1d86037f5c2cb7be48ec9e72fce49ab1c9883e8b29dc0c7994e72e88d4f75b20a054f154fbaf1e180675e62f372b67c1f532bc7a32b12d5b5bf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:41
Reported
2024-06-12 14:44
Platform
win10v2004-20240508-en
Max time kernel
79s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1948 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1948 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1948 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | b03b6832030712c8a8548971395c096d |
| SHA1 | 2ade28577a355a836f86d040e8449c3f402e2525 |
| SHA256 | bed1952f9342b9654dab71f4b109f0bde5f3df08ed13bc71f17366c897556bb7 |
| SHA512 | a4f1c546cdbe58a9169097deb8966f5cf7948d571671a68a350eddcb6cea56a005147a80eb60b65efc7032ed73f04bcb7b7ecb9922e47bef29082d2b1a7587a3 |
C:\Users\Admin\AppData\Local\Temp\5a96ioTSiMwv4Iv.exe
| MD5 | 8890adb076704c4003ed7c9376ead293 |
| SHA1 | 42cace7a4c0d12981345577d2f5b3c1093f21bd5 |
| SHA256 | 87c18c571438afe98f843eb4445573a564d61783ac8fd2332f79cab1a384f6f0 |
| SHA512 | ff9961e3834ed79ec07baab3386fb81da870ac2bc641387d17849da1e8870949b7b3c6033e7cceb4e0a8e6a5a0c099670812d78f3420e141f91a6455ff8d2bef |