Analysis Overview
SHA256
c6df7f22be01adea63114cb802ab6997558233bc1d9b24e3e1cd2e9062842424
Threat Level: Shows suspicious behavior
The file 2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:38
Reported
2024-06-12 14:40
Platform
win7-20240611-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1560 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1560 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1560 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1560 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\zeZHyByH965Er36.exe
| MD5 | 323d9cf4cd9d89506eb0f4402a3bd56a |
| SHA1 | d87fbe2bc9ffb0330f549b6a380cd5def8a3f53c |
| SHA256 | efbcfc144af80b97d5e95f7e757f87267cfd73ec1eb3f9670554584dc4743ee7 |
| SHA512 | 81fce01351d8d0db68aacf67e897efa8868ec0079dca21424325a3d0635f5460bf0125361a24523e1c7c9ab3369d7fe404945dbc5bc4419d0eb51a484854feb9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:38
Reported
2024-06-12 14:40
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4308 wrote to memory of 1348 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4308 wrote to memory of 1348 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | C:\Windows\CTS.exe |
| PID 4308 wrote to memory of 1348 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | a7de17ac6dbe357ca2344f356dda0742 |
| SHA1 | 4fe4274367cb1baedc74c5d5691e42144782a8c8 |
| SHA256 | 2e75bc46b57e9a606371499452d653357b3f320f418360918ef8c5c40f7df53b |
| SHA512 | b2f0678b8ed61dba80200179e036672d1ca9bba9300fa1e1220e26a101777c2da64ad0429347b0095ec749b0218b1110a9a3fd58c9f26c7789b3c2bbe4c1e632 |
C:\Users\Admin\AppData\Local\Temp\Kj5ppQSWtL5uOAG.exe
| MD5 | ec98248f9c5402de8eee41622fe1c587 |
| SHA1 | 1a527ea3ef5e1657865ac94e92eb38f4f02ab3e9 |
| SHA256 | cd7c8e39f932103247944d8415347247e5a99af5300bb1480b938f17c0a8fd08 |
| SHA512 | 4056793ba3da424df4870c2e4be250b57b5fb5c4a7b46b2271982f96b27b68a88ab2dfe9e4e1c80d31ad890dc1e2ea14b1f7b246fd2319454634d87df8b86bcc |