Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 04:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe
-
Size
18.3MB
-
MD5
42ba3a14d9c6ab637d6bd3c8d2d159c9
-
SHA1
43edac49b5bb804176c7ba462e43f9ed9f6878e0
-
SHA256
a6948279d46c237e099bc1adfee11b0640e692b1f1ce2fdf8df43058e211a711
-
SHA512
730ae95750e5841def0519743c09861befdbad6006184bd91668c4b984c11124e9de0a1bc76a343e2b2411c6fed1287f0a9f7303f8f13aeb5d0baddb433f20b1
-
SSDEEP
393216:TtoXSiTkernaK0Z3SsJTIDfx+YdCPlMitdyeAP/1JJPTe:aBdrnanbl+d0+itoRlbPTe
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SetupHost.Exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation SetupHost.Exe -
Executes dropped EXE 4 IoCs
Processes:
CGmLd6UtAYTXgDG.exeCTS.exeSetupHost.ExeDiagTrackRunner.exepid process 2172 CGmLd6UtAYTXgDG.exe 4456 CTS.exe 4588 SetupHost.Exe 4092 DiagTrackRunner.exe -
Loads dropped DLL 16 IoCs
Processes:
SetupHost.ExeDiagTrackRunner.exepid process 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4092 DiagTrackRunner.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
SetupHost.Exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer SetupHost.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName SetupHost.Exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exeCTS.exeCGmLd6UtAYTXgDG.exedescription ioc process File created C:\Windows\CTS.exe 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log CGmLd6UtAYTXgDG.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SetupHost.Exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SetupHost.Exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SetupHost.Exe -
NTFS ADS 1 IoCs
Processes:
SetupHost.Exedescription ioc process File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA SetupHost.Exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SetupHost.Exepid process 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe 4588 SetupHost.Exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exeCTS.exeCGmLd6UtAYTXgDG.exeSetupHost.ExeDiagTrackRunner.exedescription pid process Token: SeDebugPrivilege 1908 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe Token: SeDebugPrivilege 4456 CTS.exe Token: SeBackupPrivilege 2172 CGmLd6UtAYTXgDG.exe Token: SeRestorePrivilege 2172 CGmLd6UtAYTXgDG.exe Token: SeBackupPrivilege 2172 CGmLd6UtAYTXgDG.exe Token: SeRestorePrivilege 2172 CGmLd6UtAYTXgDG.exe Token: SeBackupPrivilege 4588 SetupHost.Exe Token: SeRestorePrivilege 4588 SetupHost.Exe Token: SeBackupPrivilege 4588 SetupHost.Exe Token: SeRestorePrivilege 4588 SetupHost.Exe Token: SeDebugPrivilege 4092 DiagTrackRunner.exe Token: SeDebugPrivilege 4092 DiagTrackRunner.exe Token: SeDebugPrivilege 4092 DiagTrackRunner.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CGmLd6UtAYTXgDG.exeSetupHost.Exepid process 2172 CGmLd6UtAYTXgDG.exe 4588 SetupHost.Exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exeCGmLd6UtAYTXgDG.exeSetupHost.Exedescription pid process target process PID 1908 wrote to memory of 2172 1908 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe CGmLd6UtAYTXgDG.exe PID 1908 wrote to memory of 2172 1908 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe CGmLd6UtAYTXgDG.exe PID 1908 wrote to memory of 2172 1908 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe CGmLd6UtAYTXgDG.exe PID 1908 wrote to memory of 4456 1908 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe CTS.exe PID 1908 wrote to memory of 4456 1908 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe CTS.exe PID 1908 wrote to memory of 4456 1908 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe CTS.exe PID 2172 wrote to memory of 4588 2172 CGmLd6UtAYTXgDG.exe SetupHost.Exe PID 2172 wrote to memory of 4588 2172 CGmLd6UtAYTXgDG.exe SetupHost.Exe PID 2172 wrote to memory of 4588 2172 CGmLd6UtAYTXgDG.exe SetupHost.Exe PID 4588 wrote to memory of 4092 4588 SetupHost.Exe DiagTrackRunner.exe PID 4588 wrote to memory of 4092 4588 SetupHost.Exe DiagTrackRunner.exe PID 4588 wrote to memory of 4092 4588 SetupHost.Exe DiagTrackRunner.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
DiagTrackRunner.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection DiagTrackRunner.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exeC:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\$Windows.~WS\Sources\SetupHost.Exe"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\$Windows.~WS\Sources\DiagTrackRunner.exeC:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4092
-
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD576f30a1e149792d2542a253b920cbef6
SHA19040e0873df5cc2a64b850d1b8159b77528ba62c
SHA256488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159
SHA512ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84
-
Filesize
14.6MB
MD59921c2a0d68a011620bd5916cc11e54d
SHA1e68c1c59600d28968dafadc300225b3ef8e4ebdc
SHA25650551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696
SHA5124ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f
-
Filesize
192KB
MD54bc291b5d6ce45bc082e47bacb49c3ff
SHA1c5ce9db96d10e0f50677704dcb7b524795a5c204
SHA2567ebd88beb9c9eb0164850a93a33078d692a93a25a02b51bc0ad92ad14164ee29
SHA5120b54ed8a83a50caba8dbbfeccabeaa385f1d729f4496e204a9a4c8ccbc146ffce46ab2c99dfaaed57b3d14b8f0abc0d0160e1be8575ae2c1ba5f8a6d0110ce39
-
Filesize
1.9MB
MD5446969e79d71cb6075f26349ac9345bc
SHA16efefe6037458e495a07dd86dc68bf788c638ca9
SHA25626c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3
SHA5128b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d
-
Filesize
681KB
MD5a0b1786c1a59ddac1024956723f58a73
SHA1828d9cdb9cc2b6c49843422da49a14ebbf44d3d5
SHA25659a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2
SHA512a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc
-
Filesize
678KB
MD55492a750f2c92ef126621fe0468b779a
SHA164e2d1fafbc008144df94cf3160319e0452d929e
SHA2562dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10
SHA512a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35
-
Filesize
6.1MB
MD510fe8f9a16755bf9ca3c5e94bfbf7178
SHA1260c06924a55582d4f4dbdfe7d0bccdd00208f9b
SHA2562f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd
SHA512c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110
-
Filesize
232KB
MD566190a933f32c6521a08c6ea76ac0fe3
SHA13b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de
SHA256d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9
SHA512fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe
-
Filesize
1.1MB
MD56ca8df94e48799196c24b7274a48fdaa
SHA10cb34852203277829668db49afc5d25bd382f8ba
SHA2560e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7
SHA512e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038
-
Filesize
901KB
MD56c3f6a6bc5ede978e9dfe1acce386339
SHA13b7b51d762c593e92123f9365a896ed64ee26a7a
SHA256b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c
SHA5123f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff
-
Filesize
8KB
MD51405595a81a70c012ace6b3f618351b2
SHA19b398dbddef2a0c048790f6ca4be57899f0f71c0
SHA256ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43
SHA512a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d
-
Filesize
827KB
MD59aebdb604a0cec305568f2742cc6a3d2
SHA1851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9
SHA25682dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93
SHA5123dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb
-
Filesize
193KB
MD58929e1ce63abc413ab88f31f3a45aba2
SHA149f37061d17cbe0482255aacfdabf10e67839ecb
SHA25680e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161
SHA5123e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5
-
Filesize
1.0MB
MD5c963819dd589b833b2fde3b9e08605f3
SHA172613ba4e8161fb8a6d0e0237e397285747a1e72
SHA256b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6
SHA5125181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1
-
Filesize
394KB
MD54357ad059ae203f9d2de05c4cb416c5e
SHA12c8e8b7778e4b798b431c59612d556ac364b4e1e
SHA2561d37a3f2a9940672abd32e38996ca137ec141beff8fce02f1e5008d65159f75e
SHA51252db1204c48377e517247cc01ba9f0f66ae66e25a6f2474f36f827690fbdf705f408a9d5dacdd0463a7eb138ab7e2fe46d4fa5dc5eed5902e04b1c975091505d
-
Filesize
18.2MB
MD5db3fccad4aead91689d62822232d56bc
SHA1c00ecaf95ed3b727aae581d41af99b5fbc762865
SHA256aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4
SHA5128960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25