Analysis Overview
SHA256
e5b966e0e1e54ddf6ea0e78fe0e1bad3c08a7872f789cdde9d5a6a810cbd492b
Threat Level: Shows suspicious behavior
The file 2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 03:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 03:51
Reported
2024-06-13 03:53
Platform
win7-20240611-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1936 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1936 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1936 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\nGfP9VUgwME80ol.exe
| MD5 | 6d63c827130a3c148780e6f8e5aa62e0 |
| SHA1 | 267642496a8da22929fb6e41dd844ffa564c222c |
| SHA256 | 47644ccbec332c54210725219ba0e9166d3c5536da0c3c13ccef7e0ce3126065 |
| SHA512 | f88f7184b697b6d1dfdc00011ee9ee050e164afd9631b3ace1527925d88e2f7561ee4e84538794974b310188050487579da22c2f0ba50d75d417551786cccc57 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 03:51
Reported
2024-06-13 03:53
Platform
win10v2004-20240611-en
Max time kernel
120s
Max time network
100s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1012 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1012 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1012 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d3b25507101c1664beb2e07bc784b0bb_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 6750bf0c5f2d8d70eac1449c4cf7d881 |
| SHA1 | 1ac0dd3f2fe32609256c1b98c70fb68fa27e5da6 |
| SHA256 | d7392e038f3e3023c6464f81a11ab22fe566aae50f01821a0dd9dacdf727ab88 |
| SHA512 | 0880edcd1fceea820d019c13caf02bd3cc78bd68dea4a98d73e8888cf205cb7c0771676dfe811004658160a304abe68c83bf3f33aa92e9df2f3223590e3f64f0 |
C:\Users\Admin\AppData\Local\Temp\mkW4aGS15EZkymD.exe
| MD5 | dd109eaeda70c835005847214547f656 |
| SHA1 | ca848099434f0e8fe098e21fec098403d2554048 |
| SHA256 | d6eecfa9d844a61ec1a111a3b2851208206f81d08e001c46df2842b54e64d0ac |
| SHA512 | 38305f4ae65aac1c73cb2cc8a00cd5dbc4d78d316bcade66fa686e21bf773c1ebbbf2acc343d2ef460bd6e81aa70779ef94b22021aa6adacff9531b6e7c7e81d |