Malware Analysis Report

2024-11-30 06:11

Sample ID 240612-sadltashjr
Target 2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware
SHA256 fc07a641e7fa85d60e108d570510968aa4ad6f26197d047c980b52d18742dffe
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fc07a641e7fa85d60e108d570510968aa4ad6f26197d047c980b52d18742dffe

Threat Level: Shows suspicious behavior

The file 2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:54

Reported

2024-06-12 14:57

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\sWg5er6P40ocAsJ.exe

MD5 e733aa346142b9bfd3d960f4a965f5d2
SHA1 b6af675345135f586f966e2446da8a5910482c5f
SHA256 42506d2cf39126ebc2d59416ba2e46ab513476bc6edfb3c76c76734bb146e86c
SHA512 0c2cc64a4576202270519b66188d13a317b75152672aa14efeab9fedaa15351e99185be79f23eca7693dbfda0395f824bbe5d912e9211974da03be4a40502cfa

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:54

Reported

2024-06-12 14:57

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_c922646120eafd58ce11effbf168c599_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 520c353331e017e989d80573fd1e0aa8
SHA1 ef5f276750bbf85d0f264146ae879dce18781f9f
SHA256 116393c52fe56d161802e010e2e5e2740460944c814e3183bcf611b8401106eb
SHA512 c942f25eb7fabeffc473442a9fd17e56d39d4476dd1bc2a84e22381813018bc81e91545097b7281c0e6a73c3659ffb87ecff3e6ae9bf19917477146c6656611d

C:\Users\Admin\AppData\Local\Temp\oxOaChOnL1zBG4N.exe

MD5 822ba243e8e90141758a0986abef5719
SHA1 7ebc16e4087ea169f5229e56c93773d138821c89
SHA256 479cfd83559c83d8ff5f10f682ec724772a11f7b59d8f169d52a95dd7685fefc
SHA512 805edf8284e3f018fd3997b8b1b7df3f94c40577c1fc66947cc18f6c6acfd25dc83e56df20cc918a44558c33fdb19af9280ecce2fcfa78de44c47459154a5d60