Malware Analysis Report

2024-11-30 04:36

Sample ID 240613-axxzvsxcph
Target 2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware
SHA256 86d3188cd7bd8b2be012a0eafbd82f29ec0499ba4fc720d474cbd3ad6ff987df
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

86d3188cd7bd8b2be012a0eafbd82f29ec0499ba4fc720d474cbd3ad6ff987df

Threat Level: Shows suspicious behavior

The file 2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:36

Reported

2024-06-13 00:38

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\SfeLVmqxnqmAFx7.exe

MD5 6e0e7264eb4cc18a4914c26d83d5d1d1
SHA1 e6b67a56700f0845b2d4c4a5fdcdf4cf6340a731
SHA256 def57904a9a4fc4033ba036c31af179481c1aada4f3fa6866203b3b11f11f9fd
SHA512 e320e2a8de5fa42eb7a117da8d03f6e3527110179cbe9ca6713e4052be0228642e29890a1a330eed5cbdaaded56248f07c5fc453da5adf77a5744b083fbd1e92

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:36

Reported

2024-06-13 00:38

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_5a1c3d686b9a58de464bc4fe8ce4c2df_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 435f008aa43f15ce9d42749f0b5ddbd6
SHA1 1396af9fc9a252fd16d1579d4f546432e6a4f243
SHA256 7ec2e987e77e95bcaaf60ad9a0c99590f3f3a213cbcc5888153742b151806d31
SHA512 f69fecd0ca34cd5baba4a0b9a69270e2448837d377cd8c975f9c0b84c441bdd44959e7aba694a92534347391ce9fb3604e0254ce8dc4e6804ac9833e6339bdf8

C:\Users\Admin\AppData\Local\Temp\Pwhp1xlp6p38Klm.exe

MD5 18147281b9055821fb845d96bd1ef8b3
SHA1 9d79f2232b7f7009680594d1a9909ebbf1f072cc
SHA256 bb697c41d18de01a5cb38354e7db2ad1b9b3ca86419d12399b7970836d07901e
SHA512 cafb05b65779ac0f38a43d03fde27feb47b0c9e68b50dfb670d3fbfc723a9f5ebbef94d87f065c350ae992cb1f9bc98375b6473ff7a5ecdafc5692a7c1991a49