Analysis Overview
SHA256
b732cd56ad5917c6e082eb84073c11575c1b4db0560d5257a204112d081c7bae
Threat Level: Shows suspicious behavior
The file 2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:25
Reported
2024-06-13 04:28
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1860 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1860 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1860 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1860 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\QGDIMOtOf2FSLiS.exe
| MD5 | cec80b3a0758cda009f483214caae369 |
| SHA1 | 85191d763632804b7ac60d712614ea3aea7a4b5a |
| SHA256 | 123dece3768ea57b3b481bdaf46130146fa768d0f4863b5b90cc000923d728d4 |
| SHA512 | 2e3795a9d4610b9655534eb821415716d3331e40dea39b92188a69327ba4a477e5d7c9e051495a8f8c5a36fca5448701ceeda3b5658610858d6c0ce1292b7e45 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:25
Reported
2024-06-13 04:28
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3100 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3100 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | C:\Windows\CTS.exe |
| PID 3100 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4184,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | f65e522a3861b2fafee1fce8fbfa9189 |
| SHA1 | a9261c3a222863d713b4975e1599b6fdcc4dc0da |
| SHA256 | 8df62214fb2962d81689b72154dc7d9d6f43ed2b06755857904fed0df4c53b43 |
| SHA512 | 1c9454140882a4eccec2bcc400b256f1e164613dbf8b4d10e413c37a30cc6a804d8bc71c1646a48a88e2605fda4315dda27f753dd7abcb31da7a0f4f27bc4fc6 |
C:\Users\Admin\AppData\Local\Temp\YU5YMXRpqiua8Dw.exe
| MD5 | 26ef93be0287b6a63277afb2b6bd56ac |
| SHA1 | 19f4997052ab68f245e31d570571ee4f00e32f65 |
| SHA256 | 3895687c754f7b6f702128f26ca5e2e604d9ad1a3d1b18147f6b74d858fe14da |
| SHA512 | 1a969c92704fa26016ccb806848393720ee6cab9b67f5efac244599ada94be42e1658f2c313644f3e845e9eda040444d8dfa0925eb607b830622c352f25754e4 |