Analysis Overview
SHA256
fc07a641e7fa85d60e108d570510968aa4ad6f26197d047c980b52d18742dffe
Threat Level: Shows suspicious behavior
The file 2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:54
Reported
2024-06-12 14:57
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2176 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2176 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2176 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\sWg5er6P40ocAsJ.exe
| MD5 | e733aa346142b9bfd3d960f4a965f5d2 |
| SHA1 | b6af675345135f586f966e2446da8a5910482c5f |
| SHA256 | 42506d2cf39126ebc2d59416ba2e46ab513476bc6edfb3c76c76734bb146e86c |
| SHA512 | 0c2cc64a4576202270519b66188d13a317b75152672aa14efeab9fedaa15351e99185be79f23eca7693dbfda0395f824bbe5d912e9211974da03be4a40502cfa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:54
Reported
2024-06-12 14:57
Platform
win10v2004-20240508-en
Max time kernel
52s
Max time network
53s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 432 wrote to memory of 4644 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | C:\Windows\CTS.exe |
| PID 432 wrote to memory of 4644 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | C:\Windows\CTS.exe |
| PID 432 wrote to memory of 4644 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 520c353331e017e989d80573fd1e0aa8 |
| SHA1 | ef5f276750bbf85d0f264146ae879dce18781f9f |
| SHA256 | 116393c52fe56d161802e010e2e5e2740460944c814e3183bcf611b8401106eb |
| SHA512 | c942f25eb7fabeffc473442a9fd17e56d39d4476dd1bc2a84e22381813018bc81e91545097b7281c0e6a73c3659ffb87ecff3e6ae9bf19917477146c6656611d |
C:\Users\Admin\AppData\Local\Temp\oxOaChOnL1zBG4N.exe
| MD5 | 822ba243e8e90141758a0986abef5719 |
| SHA1 | 7ebc16e4087ea169f5229e56c93773d138821c89 |
| SHA256 | 479cfd83559c83d8ff5f10f682ec724772a11f7b59d8f169d52a95dd7685fefc |
| SHA512 | 805edf8284e3f018fd3997b8b1b7df3f94c40577c1fc66947cc18f6c6acfd25dc83e56df20cc918a44558c33fdb19af9280ecce2fcfa78de44c47459154a5d60 |