Malware Analysis Report

2024-11-30 06:32

Sample ID 240612-r344sssemn
Target 2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware
SHA256 4494e4e5ac081e129e9c371c9ce9f4dd33a43d035d729863e9183da39a793296
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4494e4e5ac081e129e9c371c9ce9f4dd33a43d035d729863e9183da39a793296

Threat Level: Shows suspicious behavior

The file 2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:44

Reported

2024-06-12 14:46

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rp1DohDQnAB4SFs.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\Rp1DohDQnAB4SFs.exe

C:\Users\Admin\AppData\Local\Temp\Rp1DohDQnAB4SFs.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\Rp1DohDQnAB4SFs.exe

MD5 af88cab288e8213a11a7ea5313363d31
SHA1 cb769e3246d5244a0040621e919f7c519ba49986
SHA256 7407fac6e170430f34322202b73aa392431b5c2c49e15304fb255bb24c540366
SHA512 a4e353fcb78579345d4c5bc1f48970b473e0499dfe5bc6abeffb669295fa2940ce8637045a11f881fe88dd9b97d380ae9a8eed1b94fbd47181e0b4eb427e9679

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:44

Reported

2024-06-12 14:46

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9qbFp3eIbKw5M1Z.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_7d03e7821e52d29ebda64eae2231fff5_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\9qbFp3eIbKw5M1Z.exe

C:\Users\Admin\AppData\Local\Temp\9qbFp3eIbKw5M1Z.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4012,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\9qbFp3eIbKw5M1Z.exe

MD5 af88cab288e8213a11a7ea5313363d31
SHA1 cb769e3246d5244a0040621e919f7c519ba49986
SHA256 7407fac6e170430f34322202b73aa392431b5c2c49e15304fb255bb24c540366
SHA512 a4e353fcb78579345d4c5bc1f48970b473e0499dfe5bc6abeffb669295fa2940ce8637045a11f881fe88dd9b97d380ae9a8eed1b94fbd47181e0b4eb427e9679

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 397e6560171d2ee6e49d3e133a7ea15e
SHA1 d92d52c1344ce9fa02e19609bc36ce3085040ac5
SHA256 48b06f11a024e0cf45c12cad24d8ae39139489bbb2ef7dcae89b19acbd8ea421
SHA512 f81e4c0068500da3ef129f3c2bbe3cd9f090d8869938d52015749c39941e056685b61ea222c25896695258655e32330b7f156c327698be545b22478dfe10e02a

C:\Users\Admin\AppData\Local\Temp\9qbFp3eIbKw5M1Z.exe

MD5 819a8c143ce12eb87fa21552472223c6
SHA1 d73561ef39b84127f5e4e9bf7c604f20356edda4
SHA256 ccb97d9e67908a9eeda34c1ba9ab664d0af28bf26b09078e1c1fe9bc782713c1
SHA512 2dd52e3d30f09a2ebf89e3c733c9a18d623196f59a54232b2262b94506f5ecb9c6cee9c9fa272a57a2ff7cadc80e8e2c7f9490c30493f15018ff1ce0cc2beca1