Malware Analysis Report

2024-11-30 04:23

Sample ID 240613-a7dc7sxgnf
Target 2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware
SHA256 fded7c8bf261131e728631a4aadbdb753d297523cec1ff276e1d8ef2d985000b
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fded7c8bf261131e728631a4aadbdb753d297523cec1ff276e1d8ef2d985000b

Threat Level: Shows suspicious behavior

The file 2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:50

Reported

2024-06-13 00:53

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\ihkm2uRAuJHk9hA.exe

MD5 930be9895730196234ad6ff5f101237b
SHA1 04e09d68bfd5eaa20e869a152c523670853d635c
SHA256 d02b45c66aed86bc97a6157ccf8ba543c5f559fe8ae67055550972951da549fe
SHA512 df47b5c6847cbeb51bf66d8592a31d3870b8546c9ff3e4ee3e5ed1cd806047aa59083400a310dbe591362b9226a6e5f4af1420620a309ba2b9602c6e02a173bb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:50

Reported

2024-06-13 00:53

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_b6b4f2dce2917df92a43034efd1f8207_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 ceb099da54752fbf8c6f475aad72410b
SHA1 c0bcb2078b508016a57ac31da98fdea7dd5a22ae
SHA256 5026dad3eba80779e4a4873ed11f119587b465859055c74c2d7a406442d615fa
SHA512 cbc58b9d1b33fa67c36850d38a447f0af9d3b0aa42f6bc957d216a152ce2a5b2c44a683c5f7b9d35aa5ba2d38d455876e4b028fee67a83f77fc99349c79d8106

C:\Users\Admin\AppData\Local\Temp\od0FI8zLoKPJjee.exe

MD5 cda60fdedbdb43adad30053fac947926
SHA1 19b99c607f66ea3a09c439d35bfba5a5dcb9e654
SHA256 dc173280d7545a55f09b39d579977265b6ea8ea25c27d9924e7583b71c65a72e
SHA512 0c3b4485cb77fe7edd07c66981a76ad66c172c85d030fe8a1d5c3407485414494b50f67be05e8e45bf1f37c1959ba96805cce0a9f16949b218369ed9f8b74c9d