Malware Analysis Report

2024-11-30 06:19

Sample ID 240612-rwyy7syclf
Target 2024-06-12_337a305312764d1905019ce98e14af03_bkransomware
SHA256 b666e57abc4f3cc49f0951de6612e9e5c380063295c021b5d1990abe1effff59
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b666e57abc4f3cc49f0951de6612e9e5c380063295c021b5d1990abe1effff59

Threat Level: Shows suspicious behavior

The file 2024-06-12_337a305312764d1905019ce98e14af03_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:33

Reported

2024-06-12 14:35

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe

C:\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\G2IHC4i3eLChNsj.exe

MD5 6e5a78d1702531b72ef60b5fae57a752
SHA1 0ce7e1172989a55d9cc07e204af0b00b22d2ea7c
SHA256 a00a877acefcad45953343ad56a22152f7aaba5fcf2a10215d84169d47fbcd1d
SHA512 23b3094d77f876b6ff9286aea1f5e61bb6909f2b66abda02be21862956712fc33ed241a0d40d0f30aa52eecb240b139468606cffa4e11ee87b6b27bd05d8f0a3

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:33

Reported

2024-06-12 14:35

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_337a305312764d1905019ce98e14af03_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe

C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\HDnNtQIxBgWkdFB.exe

MD5 6e5a78d1702531b72ef60b5fae57a752
SHA1 0ce7e1172989a55d9cc07e204af0b00b22d2ea7c
SHA256 a00a877acefcad45953343ad56a22152f7aaba5fcf2a10215d84169d47fbcd1d
SHA512 23b3094d77f876b6ff9286aea1f5e61bb6909f2b66abda02be21862956712fc33ed241a0d40d0f30aa52eecb240b139468606cffa4e11ee87b6b27bd05d8f0a3

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 e43519fec08ba6696af3e44b7b2787a5
SHA1 5d495ba5c4cc66e93cb97a4c4d3a5a258ee86457
SHA256 9ccaa2299e070e177b8277ee783799037de439981476a7eeec80a89d44bd1999
SHA512 764c6601d7efe1897d3bde8f83915ebb629ed367e9d7d76a187cc9c879333d30c1ccc03dd22c372f1111e8d620474aed8b65dd36aef07178b6a6c342c6a29725