Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-e11blsxfrq
Target 2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware
SHA256 3cc717b344f1164fe5eaff17596dfd2ce49ba8ab50cf07bf068c5df52a1c8d0f
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3cc717b344f1164fe5eaff17596dfd2ce49ba8ab50cf07bf068c5df52a1c8d0f

Threat Level: Shows suspicious behavior

The file 2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:25

Reported

2024-06-13 04:27

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 29359c8ae56c3c6a806788a2026ae4f1
SHA1 7afc7e7a4aabc5b67e0de88716975275a0a67232
SHA256 99525f121c839957dd90a784d4f06773ccbe039291818531a6600f98e60f70c2
SHA512 27b5521839842a5ef5385218eae25261a82efacd7e722246968a0d1b8d968826b6ff8598edd59680b9a58361788a21fd57a29ecd5944bcb64bbfedec592b8883

C:\Users\Admin\AppData\Local\Temp\8GS7lyMZ7TUWBJS.exe

MD5 3c6e6d590822e761aa5b92807c636487
SHA1 1d371791bb2ec4f5166c1c9f487fa460b4ddac67
SHA256 96eee9137db82f72e28b1b22314bd55217e8513bf0598f5c3122e0da022c5fcb
SHA512 789c3f28ead265090c21033d236ed4f1f3c59b4a5ecb56e43dcaaff95f769298315709c4aca9cbe712e29406e7fce8df9a62ebbc758508fffb9c7b0cb084da4f

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:25

Reported

2024-06-13 04:27

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2bba3977125de893ab5fd1c7383e26d4_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\CIExugmqw72J1cU.exe

MD5 63a05f3172c8a0373029e3e380fd31cb
SHA1 aa9665b992af1f4386545eb0e2c7d5713f5d0bb2
SHA256 c056632539c6288763487dac272a276b7c29284ffbc9e5079dfe5876353fc8f9
SHA512 5e2da67e9ef7e03a0d5e70713a8c6a692c73cbbbd3dad19db3f23bfcac7ad6c955da587034b570507d800c544ddd7c13af1ae63386093f4f1dd75fe0410671fd