Malware Analysis Report

2024-11-30 04:14

Sample ID 240613-aqq8qs1amk
Target 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware
SHA256 bce278f72862767ae49e7493d789747dbc864156d92ebd681ad8828f1c9e9d13
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bce278f72862767ae49e7493d789747dbc864156d92ebd681ad8828f1c9e9d13

Threat Level: Shows suspicious behavior

The file 2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:25

Reported

2024-06-13 00:27

Platform

win7-20240419-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\R9VeXk0DbQyge3i.exe

MD5 cbf08fcb16489bb8ae5127ade06ecefa
SHA1 9e9ace43d8280e90b0f897405e758fe6a56a1243
SHA256 456fcef0f54577f87a58d7b7817e65dc12f805d4651514c0e274084dd1b827fc
SHA512 5750d85bfe5b91d6dab0625a57de3e76a813ba3677a4fb0a292ee7a489ff081ac3c264f2a3e7c30c7324651e25a3e74b7b93ebe58df3fc45fa736b816346fc45

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:25

Reported

2024-06-13 00:27

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_08096c6e58536c35881c54a6a74d9d0e_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4612 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 19708219d534a85281787991712b25e1
SHA1 2cec34e1eb87407d700b75eb055e24d3fd54d816
SHA256 7159e4ac919bb63f9f0d8344d97afe0d5e6a6a71f62cfac667965449cacbae8e
SHA512 34c320d5e46c4ebf0854f45c7989e78b3459ca21f5e62263f977ffba5225e712c09bf195f9651488d58ab2cf4487e6a3edee835154c366b8b91639abebb55e68

C:\Users\Admin\AppData\Local\Temp\WvGa0unGWUqVZYz.exe

MD5 5b5d69a12cf70f07aad5f6b558dc2324
SHA1 651e0c7e1560b74fb67a25cf538241a2967415dc
SHA256 568c3828dc1d41cac9d4bf467d3b61bf7230bf94b8ce60fca894846f0874cda8
SHA512 b9b308254f95e07979566d15363f905c82e6911eab97d18bc65a6d742bd3727ac1c7de77756e271d46f90520964d81f318c8a0cc5bdfd41381952b575b4f6d29