Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-eenqpaxbjj
Target 2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware
SHA256 e5b966e0e1e54ddf6ea0e78fe0e1bad3c08a7872f789cdde9d5a6a810cbd492b
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e5b966e0e1e54ddf6ea0e78fe0e1bad3c08a7872f789cdde9d5a6a810cbd492b

Threat Level: Shows suspicious behavior

The file 2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:51

Reported

2024-06-13 03:53

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\nGfP9VUgwME80ol.exe

MD5 6d63c827130a3c148780e6f8e5aa62e0
SHA1 267642496a8da22929fb6e41dd844ffa564c222c
SHA256 47644ccbec332c54210725219ba0e9166d3c5536da0c3c13ccef7e0ce3126065
SHA512 f88f7184b697b6d1dfdc00011ee9ee050e164afd9631b3ace1527925d88e2f7561ee4e84538794974b310188050487579da22c2f0ba50d75d417551786cccc57

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:51

Reported

2024-06-13 03:53

Platform

win10v2004-20240611-en

Max time kernel

120s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 6750bf0c5f2d8d70eac1449c4cf7d881
SHA1 1ac0dd3f2fe32609256c1b98c70fb68fa27e5da6
SHA256 d7392e038f3e3023c6464f81a11ab22fe566aae50f01821a0dd9dacdf727ab88
SHA512 0880edcd1fceea820d019c13caf02bd3cc78bd68dea4a98d73e8888cf205cb7c0771676dfe811004658160a304abe68c83bf3f33aa92e9df2f3223590e3f64f0

C:\Users\Admin\AppData\Local\Temp\mkW4aGS15EZkymD.exe

MD5 dd109eaeda70c835005847214547f656
SHA1 ca848099434f0e8fe098e21fec098403d2554048
SHA256 d6eecfa9d844a61ec1a111a3b2851208206f81d08e001c46df2842b54e64d0ac
SHA512 38305f4ae65aac1c73cb2cc8a00cd5dbc4d78d316bcade66fa686e21bf773c1ebbbf2acc343d2ef460bd6e81aa70779ef94b22021aa6adacff9531b6e7c7e81d