Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-ebe95swhqj
Target 2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware
SHA256 e101f7550db0f220224e846a6a14da87450d2e401af676dc98c45aaf1cb22404
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e101f7550db0f220224e846a6a14da87450d2e401af676dc98c45aaf1cb22404

Threat Level: Shows suspicious behavior

The file 2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:45

Reported

2024-06-13 03:48

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\mObfcWnqn7Aixh5.exe

MD5 fecc3dfb533d92e662f8f45fa8257b7a
SHA1 f1deeebbc0d4b3a0a904f20bb0bee2492e0ea4d9
SHA256 a1896e93895f2c7857136bdb2d3ca384095bdda82be4ac81d52463ac6986beaa
SHA512 405bb7e2de5a36a6c7838ea8733ceac39007e6b3f1d9f57c71824002981e81a05c4fc78fb6e7b6f70a97b88a52ae062a2faa469211d0650e3b8e322eeae7b81a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:45

Reported

2024-06-13 03:48

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_9a9168e5de25fc2ff66702805cb63db4_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 588378ecff439c4526c7e4c52c08ef9a
SHA1 7c07db303e1b9a752f89b4d5d66ee199ddc27b41
SHA256 1433f659bae2a21a46f4c15c72d38c5158668ef90e838eabe01545d36edbfc11
SHA512 95d58898236bb3803766762c246f160a7a81703f7a30c661a29a10a7a2f5127c6da8393f0eda964ba82527dc19d6413535f515091ee5717b200b9f06247cfd59

C:\Users\Admin\AppData\Local\Temp\o59F1Hlo5AJliII.exe

MD5 b675ec69f7f2680f089b5322df4af297
SHA1 14966fce605fb22d9e335066be00791f8ac7fb3c
SHA256 492897401b2144711f7f6539e3165acde52912029c51520bb243c21274a4617d
SHA512 16284705a8d6d33232c804a3290fbde565b89044d5e56d00ed165ae22352d304d3228871e263d6b91e5a0aac226f57cf3da794ebf7dfcf218a6a9e21326ea3ed