Analysis Overview
SHA256
fded7c8bf261131e728631a4aadbdb753d297523cec1ff276e1d8ef2d985000b
Threat Level: Shows suspicious behavior
The file 2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 00:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 00:50
Reported
2024-06-13 00:53
Platform
win7-20240220-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\ihkm2uRAuJHk9hA.exe
| MD5 | 930be9895730196234ad6ff5f101237b |
| SHA1 | 04e09d68bfd5eaa20e869a152c523670853d635c |
| SHA256 | d02b45c66aed86bc97a6157ccf8ba543c5f559fe8ae67055550972951da549fe |
| SHA512 | df47b5c6847cbeb51bf66d8592a31d3870b8546c9ff3e4ee3e5ed1cd806047aa59083400a310dbe591362b9226a6e5f4af1420620a309ba2b9602c6e02a173bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 00:50
Reported
2024-06-13 00:53
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2988 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2988 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | ceb099da54752fbf8c6f475aad72410b |
| SHA1 | c0bcb2078b508016a57ac31da98fdea7dd5a22ae |
| SHA256 | 5026dad3eba80779e4a4873ed11f119587b465859055c74c2d7a406442d615fa |
| SHA512 | cbc58b9d1b33fa67c36850d38a447f0af9d3b0aa42f6bc957d216a152ce2a5b2c44a683c5f7b9d35aa5ba2d38d455876e4b028fee67a83f77fc99349c79d8106 |
C:\Users\Admin\AppData\Local\Temp\od0FI8zLoKPJjee.exe
| MD5 | cda60fdedbdb43adad30053fac947926 |
| SHA1 | 19b99c607f66ea3a09c439d35bfba5a5dcb9e654 |
| SHA256 | dc173280d7545a55f09b39d579977265b6ea8ea25c27d9924e7583b71c65a72e |
| SHA512 | 0c3b4485cb77fe7edd07c66981a76ad66c172c85d030fe8a1d5c3407485414494b50f67be05e8e45bf1f37c1959ba96805cce0a9f16949b218369ed9f8b74c9d |