Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-e2dt1atgqe
Target 2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware
SHA256 b732cd56ad5917c6e082eb84073c11575c1b4db0560d5257a204112d081c7bae
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b732cd56ad5917c6e082eb84073c11575c1b4db0560d5257a204112d081c7bae

Threat Level: Shows suspicious behavior

The file 2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:25

Reported

2024-06-13 04:28

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\QGDIMOtOf2FSLiS.exe

MD5 cec80b3a0758cda009f483214caae369
SHA1 85191d763632804b7ac60d712614ea3aea7a4b5a
SHA256 123dece3768ea57b3b481bdaf46130146fa768d0f4863b5b90cc000923d728d4
SHA512 2e3795a9d4610b9655534eb821415716d3331e40dea39b92188a69327ba4a477e5d7c9e051495a8f8c5a36fca5448701ceeda3b5658610858d6c0ce1292b7e45

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:25

Reported

2024-06-13 04:28

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4184,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 f65e522a3861b2fafee1fce8fbfa9189
SHA1 a9261c3a222863d713b4975e1599b6fdcc4dc0da
SHA256 8df62214fb2962d81689b72154dc7d9d6f43ed2b06755857904fed0df4c53b43
SHA512 1c9454140882a4eccec2bcc400b256f1e164613dbf8b4d10e413c37a30cc6a804d8bc71c1646a48a88e2605fda4315dda27f753dd7abcb31da7a0f4f27bc4fc6

C:\Users\Admin\AppData\Local\Temp\YU5YMXRpqiua8Dw.exe

MD5 26ef93be0287b6a63277afb2b6bd56ac
SHA1 19f4997052ab68f245e31d570571ee4f00e32f65
SHA256 3895687c754f7b6f702128f26ca5e2e604d9ad1a3d1b18147f6b74d858fe14da
SHA512 1a969c92704fa26016ccb806848393720ee6cab9b67f5efac244599ada94be42e1658f2c313644f3e845e9eda040444d8dfa0925eb607b830622c352f25754e4