Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2024 04:35

General

  • Target

    2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe

  • Size

    18.3MB

  • MD5

    42ba3a14d9c6ab637d6bd3c8d2d159c9

  • SHA1

    43edac49b5bb804176c7ba462e43f9ed9f6878e0

  • SHA256

    a6948279d46c237e099bc1adfee11b0640e692b1f1ce2fdf8df43058e211a711

  • SHA512

    730ae95750e5841def0519743c09861befdbad6006184bd91668c4b984c11124e9de0a1bc76a343e2b2411c6fed1287f0a9f7303f8f13aeb5d0baddb433f20b1

  • SSDEEP

    393216:TtoXSiTkernaK0Z3SsJTIDfx+YdCPlMitdyeAP/1JJPTe:aBdrnanbl+d0+itoRlbPTe

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 38 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
      C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\$Windows.~WS\Sources\SetupHost.Exe
        "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks system information in the registry
        • Checks processor information in registry
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\$Windows.~WS\Sources\DiagTrackRunner.exe
          C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1676
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2704
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2324

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

        Filesize

        14.6MB

        MD5

        9921c2a0d68a011620bd5916cc11e54d

        SHA1

        e68c1c59600d28968dafadc300225b3ef8e4ebdc

        SHA256

        50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696

        SHA512

        4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f

      • C:\$Windows.~WS\Sources\SetupCore.dll

        Filesize

        1.9MB

        MD5

        446969e79d71cb6075f26349ac9345bc

        SHA1

        6efefe6037458e495a07dd86dc68bf788c638ca9

        SHA256

        26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3

        SHA512

        8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d

      • C:\$Windows.~WS\Sources\SetupHost.exe

        Filesize

        681KB

        MD5

        a0b1786c1a59ddac1024956723f58a73

        SHA1

        828d9cdb9cc2b6c49843422da49a14ebbf44d3d5

        SHA256

        59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2

        SHA512

        a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc

      • C:\$Windows.~WS\Sources\SetupPlatform.dll

        Filesize

        6.1MB

        MD5

        10fe8f9a16755bf9ca3c5e94bfbf7178

        SHA1

        260c06924a55582d4f4dbdfe7d0bccdd00208f9b

        SHA256

        2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd

        SHA512

        c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110

      • C:\$Windows.~WS\Sources\WDSUTIL.dll

        Filesize

        232KB

        MD5

        66190a933f32c6521a08c6ea76ac0fe3

        SHA1

        3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de

        SHA256

        d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9

        SHA512

        fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe

      • C:\$Windows.~WS\Sources\diagtrack.dll

        Filesize

        901KB

        MD5

        6c3f6a6bc5ede978e9dfe1acce386339

        SHA1

        3b7b51d762c593e92123f9365a896ed64ee26a7a

        SHA256

        b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c

        SHA512

        3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

      • C:\$Windows.~WS\Sources\setupplatform.cfg

        Filesize

        8KB

        MD5

        1405595a81a70c012ace6b3f618351b2

        SHA1

        9b398dbddef2a0c048790f6ca4be57899f0f71c0

        SHA256

        ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43

        SHA512

        a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d

      • C:\Windows\CTS.exe

        Filesize

        71KB

        MD5

        66df4ffab62e674af2e75b163563fc0b

        SHA1

        dec8a197312e41eeb3cfef01cb2a443f0205cd6e

        SHA256

        075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

        SHA512

        1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

      • \$Windows.~WS\Sources\DiagTrackRunner.exe

        Filesize

        77KB

        MD5

        76f30a1e149792d2542a253b920cbef6

        SHA1

        9040e0873df5cc2a64b850d1b8159b77528ba62c

        SHA256

        488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159

        SHA512

        ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

      • \$Windows.~WS\Sources\SetupMgr.dll

        Filesize

        678KB

        MD5

        5492a750f2c92ef126621fe0468b779a

        SHA1

        64e2d1fafbc008144df94cf3160319e0452d929e

        SHA256

        2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10

        SHA512

        a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35

      • \$Windows.~WS\Sources\WinDlp.dll

        Filesize

        1.1MB

        MD5

        6ca8df94e48799196c24b7274a48fdaa

        SHA1

        0cb34852203277829668db49afc5d25bd382f8ba

        SHA256

        0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7

        SHA512

        e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038

      • \$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-1-1.dll

        Filesize

        19KB

        MD5

        dbeac4d60d3985a086052d56fd84228e

        SHA1

        44a717d41388ce53d8e77fe1bb5e34ed4b72a851

        SHA256

        e5ce4dbda2c7bd078056cc17cc65714787cc50daa5e61de59fafa0d0223321b1

        SHA512

        44b7c321f1cdaa0145c7f4766f6b4f90c6d86a9a3eb842d2a007f44b27d9b25efe89421820514080e2a45d99da4bddcb877fd754c01a4801840ea7b7228c62ba

      • \$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-1.dll

        Filesize

        15KB

        MD5

        4e2acbaa772797a0f86e15572fa44f84

        SHA1

        7f1846f886a27716ca918c65fb87458bd49fcfee

        SHA256

        70b4b4c427f235b2c2c7d49b3aff7c5a799b7a9616e7a11d2de5d78156665ba7

        SHA512

        b8143b54cf966f42abf9e2b083cd85aa1f7411fa4ceb2b8460946d708322ba2b81b93be771d8d04b027d0e22b13e68fa71bb53b6c2f6c8b3c0f5941d423d38b4

      • \$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l4-1-0.dll

        Filesize

        10KB

        MD5

        96fe4353f44be47fb877366d5f33c172

        SHA1

        ddea638bd1694b2eda295a0f508e4a857f8450f2

        SHA256

        904371b86f56414ff70d3d7a4ad878b70f8b9fd278e2b97a82a26bb13b89a9f4

        SHA512

        2d0a0e97ef5eba8701446891dd669735540ef185e3f8fb14053243bf4b9163e9354e5f905bd26d1910a80d8780cfe2dcc68f6f2ad9bf3275bb7efb30eeafa464

      • \$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dll

        Filesize

        45KB

        MD5

        cfd98d71d80f41c3f155e573b1ffdda1

        SHA1

        966336882e88ca6a311c5e9948b4bb22a815bd7f

        SHA256

        1b202df705c429d3d1be26f71274743f0859db81aedead53bf2624d35899294d

        SHA512

        16d266bd3dc858bbc37fa95ad7f0a60ce654fbcf1f5c9b3f3e0abc1f7b95e86f2a04a9b0e1d98cae3e616af2129985f92aea7595aeeef898eae399e4669f44ff

      • \$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l2-1-0.dll

        Filesize

        16KB

        MD5

        daec93c3ac8dca1807147d304879acb0

        SHA1

        391cbc5e7cf40124f9640c1e7d6188e75af1b5f3

        SHA256

        107cf218d9af2523fb24da10b381436bb858ac0f8b1012bc56bf088983b2e9db

        SHA512

        ccc96c82b2cdcd36f56642cc6801de9d487ec593ccda9020efdc782cd3705e321367de7487080b5bdd10c89b9e6acf048a8f45a16c29caed5588bd6d1babe3d1

      • \$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-1.dll

        Filesize

        14KB

        MD5

        8cd60551eec672a732db658555c051d9

        SHA1

        f675ee4b04a5a3afb758ff89e077dd401e192379

        SHA256

        5d0ba298919d78b726c625c7e6ad31f2632e095f7c79ac08f0ff25f8e15a4295

        SHA512

        d3950f90d50e90b2ba62fa1028ae6226c8fe2ee8c0517f769dafa3cc4ba81f38a50ce1676be3eb40669d7ea830752a331975867fb117937b7fffd21c2845b313

      • \$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-1-1.dll

        Filesize

        18KB

        MD5

        40baccd1e7f60085248785bea899c61e

        SHA1

        d1e076fe8258ed5fb53707f639ceddaf7d5640fa

        SHA256

        d59814bb8bbcff15e192aa600ac09f344ac089e95034258c1ea3748363132a59

        SHA512

        4ad6b96b3aadfe5cccad0494e80258b709905349e82c858f27cbff4a871790bb7d0757a704f999cd86c9a788e44d286655940a81c8237e15aa2641e0ddf55930

      • \$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-1.dll

        Filesize

        11KB

        MD5

        75285f0badb10b3291d8f921e76506c0

        SHA1

        d769aba460a768cb065346d9a9c3263af1372160

        SHA256

        a5af7a42ea3688d6fb5ce9388e11276bbeb3afb2e893b9f66b1bc7c9059d8f99

        SHA512

        f40c8f6ede3010f523ab28f41ad38e41d1fd541554b59104a7d7468ddb004efe6bd690a9467be6461ade71ce7b10b120b8cacf6c429f37fef3d3fc8318c0284b

      • \$Windows.~WS\Sources\unbcl.dll

        Filesize

        827KB

        MD5

        9aebdb604a0cec305568f2742cc6a3d2

        SHA1

        851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9

        SHA256

        82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93

        SHA512

        3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb

      • \$Windows.~WS\Sources\wdscore.dll

        Filesize

        193KB

        MD5

        8929e1ce63abc413ab88f31f3a45aba2

        SHA1

        49f37061d17cbe0482255aacfdabf10e67839ecb

        SHA256

        80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161

        SHA512

        3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5

      • \$Windows.~WS\Sources\wpx.dll

        Filesize

        1.0MB

        MD5

        c963819dd589b833b2fde3b9e08605f3

        SHA1

        72613ba4e8161fb8a6d0e0237e397285747a1e72

        SHA256

        b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6

        SHA512

        5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1

      • \Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe

        Filesize

        18.2MB

        MD5

        db3fccad4aead91689d62822232d56bc

        SHA1

        c00ecaf95ed3b727aae581d41af99b5fbc762865

        SHA256

        aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4

        SHA512

        8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909

      • memory/2460-109-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

        Filesize

        292KB

      • memory/2460-110-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

        Filesize

        292KB

      • memory/2460-132-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

        Filesize

        292KB