Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-efdxwaxbkj
Target 2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware
SHA256 ebce197b826e30c0206f28e62edfef1d624cd290345d229812b4377396020b6a
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ebce197b826e30c0206f28e62edfef1d624cd290345d229812b4377396020b6a

Threat Level: Shows suspicious behavior

The file 2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:52

Reported

2024-06-13 03:55

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\DX6NVYHW6VcX9vY.exe

MD5 cc004b9079f965679a078e477f3e6627
SHA1 ee2c04a1cb8b2081920420fd816f7a50e6b9d160
SHA256 fdd347a2626a159e61255be450bd8f7e35d323b3e88f8042b5277c25c5c568fd
SHA512 b5b37e6578d60d0813dcc1c725fa773f5571efbefe75b0e4111d7e7d4addaa18fa43b5377b2f4f7d07e978a97685733a884a88d01fab51bff3116c37a7bf0f11

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:52

Reported

2024-06-13 03:55

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_e3e22c3ade7b7fba3affee9afd606415_bkransomware.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 1b0fdfeea83ad199b45aea68c657656c
SHA1 346461d6bcb6887c14c4a7648e403fe365b25a6e
SHA256 4bf9fc6dc903d8b3c0d7d3a742a9e3f0171c201b6b8bab62072becbf0a7df597
SHA512 1f2577ae9e559eefcbe8cb05a6904ae00cc74ec86bfb8b8ba6ad3befa7f2d34771b1d79e397067d4c2391acff82501427b8b4c32672215c1f3156e219b7c9fc8

C:\Users\Admin\AppData\Local\Temp\Hur0bPoAAGhsCU5.exe

MD5 436b9ecaa9855d2ffe3d40ed46b9e35c
SHA1 5067bd2a34093b6f268f902c1e62b7a7cb70870e
SHA256 7880c230030dd4df4df98bee91ef44cfac8a3176fb9d8ede08b53f60634f49ac
SHA512 16ef627cd3191f700cd03fc89ee4bc4216c8c18a017e8008b3b0ac77de15f85dce92f958edb249706eef6f62d6ef9f6f509366fd219fedc489cc946a16dc9967