Analysis Overview
SHA256
680ea0b10007510bf1fb7ee902a991d54af502de658fdca1d04d56466f2673da
Threat Level: Shows suspicious behavior
The file 2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:31
Reported
2024-06-12 14:34
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4016 wrote to memory of 3452 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4016 wrote to memory of 3452 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4016 wrote to memory of 3452 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 82b3200b536db6485d5c44062974b02e |
| SHA1 | 7262c381a95a75725366681c545c135aed19609b |
| SHA256 | cd22a6e28f725956b0f6f91e2233fba72311344d0822a447a4de504f04a451f8 |
| SHA512 | df1695e510abb00ca417cf6cd2187c97a9a4ef04b6e4c11f971245f00cab50f063c487d2739e225bf590001219be75601d51e37e5d4817d1ba0311c0f6142d9a |
C:\Users\Admin\AppData\Local\Temp\0h2Y9CgyklswQ24.exe
| MD5 | 3c2536f8991ec3028f745d4b5fb08ed7 |
| SHA1 | f6ee54dace9c58e6c934c89030c9a9383c08969c |
| SHA256 | 0994526ab3a6ca5370d5d6a676f50bad0bbb5952d9f759bb0fdeb0c02a54ea98 |
| SHA512 | fa57acfc468a031675c750199f78e38101eba918c76f0040090d796044dad47ff1b3f169168bf71e53ab16fd2bbb40572c562d8ed68543c397858de0541e2725 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:31
Reported
2024-06-12 14:34
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3008 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3008 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3008 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b23162d5b374f3e62854fc634b374a5_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\8WIGmRljrTtrkm9.exe
| MD5 | c3ab50960623d5a6fff252c459c0af69 |
| SHA1 | b4b623ef90185503f82937e8274caf0cf4308a37 |
| SHA256 | 72018c687d4223308b6f7924fc52aa603c78cf9f70ee8ca8affcbaed589cedf8 |
| SHA512 | d6081d3b1f5bc7b71355e29d69a5ae654c046ab19f6b660f1483d6d145b10ed0cff6f95e22c75e011c99518ba72786af4751164262037459d9fd3a7a320fe886 |