Analysis Overview
SHA256
3cc717b344f1164fe5eaff17596dfd2ce49ba8ab50cf07bf068c5df52a1c8d0f
Threat Level: Shows suspicious behavior
The file 2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:25
Reported
2024-06-13 04:27
Platform
win10v2004-20240508-en
Max time kernel
80s
Max time network
100s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1316 wrote to memory of 3644 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1316 wrote to memory of 3644 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1316 wrote to memory of 3644 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 29359c8ae56c3c6a806788a2026ae4f1 |
| SHA1 | 7afc7e7a4aabc5b67e0de88716975275a0a67232 |
| SHA256 | 99525f121c839957dd90a784d4f06773ccbe039291818531a6600f98e60f70c2 |
| SHA512 | 27b5521839842a5ef5385218eae25261a82efacd7e722246968a0d1b8d968826b6ff8598edd59680b9a58361788a21fd57a29ecd5944bcb64bbfedec592b8883 |
C:\Users\Admin\AppData\Local\Temp\8GS7lyMZ7TUWBJS.exe
| MD5 | 3c6e6d590822e761aa5b92807c636487 |
| SHA1 | 1d371791bb2ec4f5166c1c9f487fa460b4ddac67 |
| SHA256 | 96eee9137db82f72e28b1b22314bd55217e8513bf0598f5c3122e0da022c5fcb |
| SHA512 | 789c3f28ead265090c21033d236ed4f1f3c59b4a5ecb56e43dcaaff95f769298315709c4aca9cbe712e29406e7fce8df9a62ebbc758508fffb9c7b0cb084da4f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:25
Reported
2024-06-13 04:27
Platform
win7-20240508-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2980 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2980 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2980 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2980 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\CIExugmqw72J1cU.exe
| MD5 | 63a05f3172c8a0373029e3e380fd31cb |
| SHA1 | aa9665b992af1f4386545eb0e2c7d5713f5d0bb2 |
| SHA256 | c056632539c6288763487dac272a276b7c29284ffbc9e5079dfe5876353fc8f9 |
| SHA512 | 5e2da67e9ef7e03a0d5e70713a8c6a692c73cbbbd3dad19db3f23bfcac7ad6c955da587034b570507d800c544ddd7c13af1ae63386093f4f1dd75fe0410671fd |