Analysis Overview
SHA256
b666e57abc4f3cc49f0951de6612e9e5c380063295c021b5d1990abe1effff59
Threat Level: Shows suspicious behavior
The file 2024-06-12_337a305312764d1905019ce98e14af03_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:33
Reported
2024-06-12 14:35
Platform
win7-20240508-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe
C:\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe
| MD5 | 6e5a78d1702531b72ef60b5fae57a752 |
| SHA1 | 0ce7e1172989a55d9cc07e204af0b00b22d2ea7c |
| SHA256 | a00a877acefcad45953343ad56a22152f7aaba5fcf2a10215d84169d47fbcd1d |
| SHA512 | 23b3094d77f876b6ff9286aea1f5e61bb6909f2b66abda02be21862956712fc33ed241a0d40d0f30aa52eecb240b139468606cffa4e11ee87b6b27bd05d8f0a3 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:33
Reported
2024-06-12 14:35
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4508 wrote to memory of 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe |
| PID 4508 wrote to memory of 3172 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe |
| PID 4508 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4508 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4508 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe
C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe
| MD5 | 6e5a78d1702531b72ef60b5fae57a752 |
| SHA1 | 0ce7e1172989a55d9cc07e204af0b00b22d2ea7c |
| SHA256 | a00a877acefcad45953343ad56a22152f7aaba5fcf2a10215d84169d47fbcd1d |
| SHA512 | 23b3094d77f876b6ff9286aea1f5e61bb6909f2b66abda02be21862956712fc33ed241a0d40d0f30aa52eecb240b139468606cffa4e11ee87b6b27bd05d8f0a3 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | e43519fec08ba6696af3e44b7b2787a5 |
| SHA1 | 5d495ba5c4cc66e93cb97a4c4d3a5a258ee86457 |
| SHA256 | 9ccaa2299e070e177b8277ee783799037de439981476a7eeec80a89d44bd1999 |
| SHA512 | 764c6601d7efe1897d3bde8f83915ebb629ed367e9d7d76a187cc9c879333d30c1ccc03dd22c372f1111e8d620474aed8b65dd36aef07178b6a6c342c6a29725 |