Malware Analysis Report

2024-11-30 06:21

Sample ID 240612-rzsatsydke
Target 2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware
SHA256 c6df7f22be01adea63114cb802ab6997558233bc1d9b24e3e1cd2e9062842424
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c6df7f22be01adea63114cb802ab6997558233bc1d9b24e3e1cd2e9062842424

Threat Level: Shows suspicious behavior

The file 2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:38

Reported

2024-06-12 14:40

Platform

win7-20240611-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\zeZHyByH965Er36.exe

MD5 323d9cf4cd9d89506eb0f4402a3bd56a
SHA1 d87fbe2bc9ffb0330f549b6a380cd5def8a3f53c
SHA256 efbcfc144af80b97d5e95f7e757f87267cfd73ec1eb3f9670554584dc4743ee7
SHA512 81fce01351d8d0db68aacf67e897efa8868ec0079dca21424325a3d0635f5460bf0125361a24523e1c7c9ab3369d7fe404945dbc5bc4419d0eb51a484854feb9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:38

Reported

2024-06-12 14:40

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_474da67bbb15a3401dd0889bc662bf00_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a7de17ac6dbe357ca2344f356dda0742
SHA1 4fe4274367cb1baedc74c5d5691e42144782a8c8
SHA256 2e75bc46b57e9a606371499452d653357b3f320f418360918ef8c5c40f7df53b
SHA512 b2f0678b8ed61dba80200179e036672d1ca9bba9300fa1e1220e26a101777c2da64ad0429347b0095ec749b0218b1110a9a3fd58c9f26c7789b3c2bbe4c1e632

C:\Users\Admin\AppData\Local\Temp\Kj5ppQSWtL5uOAG.exe

MD5 ec98248f9c5402de8eee41622fe1c587
SHA1 1a527ea3ef5e1657865ac94e92eb38f4f02ab3e9
SHA256 cd7c8e39f932103247944d8415347247e5a99af5300bb1480b938f17c0a8fd08
SHA512 4056793ba3da424df4870c2e4be250b57b5fb5c4a7b46b2271982f96b27b68a88ab2dfe9e4e1c80d31ad890dc1e2ea14b1f7b246fd2319454634d87df8b86bcc