Analysis Overview
SHA256
3180ad517578b8327517e020661dd02304e534181496344dedbca86f4290e180
Threat Level: Shows suspicious behavior
The file 2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:03
Reported
2024-06-12 18:05
Platform
win7-20240221-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95wFoU3S4siUM3X.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\95wFoU3S4siUM3X.exe
C:\Users\Admin\AppData\Local\Temp\95wFoU3S4siUM3X.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\95wFoU3S4siUM3X.exe
| MD5 | e97c622b03fb2a2598bf019fbbe29f2c |
| SHA1 | 32698bd1d3a0ff6cf441770d1b2b816285068d19 |
| SHA256 | 5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160 |
| SHA512 | db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\95wFoU3S4siUM3X.exe
| MD5 | a33fff9ccf410f818d2a7fdd67da07a6 |
| SHA1 | 3d7225c264ae7e88b7932c2c37f40048e8be375b |
| SHA256 | f2af3ae853de1847178215797f8bc5d7c3a585bc39adaa883bc5d99bf3b7b9e0 |
| SHA512 | 76400809858c23867da039c443910c3e6b30e4275f0396fa4233366eb7d0cbd3b36e0e8f7ded9970a961ba6dfd26c7e8fa5879996a257390d66578b296b02f07 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 18:03
Reported
2024-06-12 18:05
Platform
win10v2004-20240611-en
Max time kernel
120s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JkfkgHiRPkUL63l.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_a025e29726722d69fea098d6f481bb85_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\JkfkgHiRPkUL63l.exe
C:\Users\Admin\AppData\Local\Temp\JkfkgHiRPkUL63l.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\JkfkgHiRPkUL63l.exe
| MD5 | e97c622b03fb2a2598bf019fbbe29f2c |
| SHA1 | 32698bd1d3a0ff6cf441770d1b2b816285068d19 |
| SHA256 | 5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160 |
| SHA512 | db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 6c6a5a95342dfc8a526e61b63ec53d08 |
| SHA1 | eabd99474e7191133366827b2cf6539b581f3734 |
| SHA256 | 45e826c28fc9888c033b18f7d373fda0d5a8b073a605b6ea3f7f2e7e5854019e |
| SHA512 | d11e39916204c1579b59d4f13ca57ef75cc038afafb482304774e2019267b9f37504cd3ee8abc0a0d84bb7bd850097fa808c587ae656a57fbf419552f4eb18b9 |