Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 04:35

General

  • Target

    2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe

  • Size

    18.3MB

  • MD5

    42ba3a14d9c6ab637d6bd3c8d2d159c9

  • SHA1

    43edac49b5bb804176c7ba462e43f9ed9f6878e0

  • SHA256

    a6948279d46c237e099bc1adfee11b0640e692b1f1ce2fdf8df43058e211a711

  • SHA512

    730ae95750e5841def0519743c09861befdbad6006184bd91668c4b984c11124e9de0a1bc76a343e2b2411c6fed1287f0a9f7303f8f13aeb5d0baddb433f20b1

  • SSDEEP

    393216:TtoXSiTkernaK0Z3SsJTIDfx+YdCPlMitdyeAP/1JJPTe:aBdrnanbl+d0+itoRlbPTe

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
      C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\$Windows.~WS\Sources\SetupHost.Exe
        "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks system information in the registry
        • Checks processor information in registry
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\$Windows.~WS\Sources\DiagTrackRunner.exe
          C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:4092
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4456
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Windows.~WS\Sources\DiagTrackRunner.exe

      Filesize

      77KB

      MD5

      76f30a1e149792d2542a253b920cbef6

      SHA1

      9040e0873df5cc2a64b850d1b8159b77528ba62c

      SHA256

      488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159

      SHA512

      ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

    • C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

      Filesize

      14.6MB

      MD5

      9921c2a0d68a011620bd5916cc11e54d

      SHA1

      e68c1c59600d28968dafadc300225b3ef8e4ebdc

      SHA256

      50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696

      SHA512

      4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f

    • C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

      Filesize

      192KB

      MD5

      4bc291b5d6ce45bc082e47bacb49c3ff

      SHA1

      c5ce9db96d10e0f50677704dcb7b524795a5c204

      SHA256

      7ebd88beb9c9eb0164850a93a33078d692a93a25a02b51bc0ad92ad14164ee29

      SHA512

      0b54ed8a83a50caba8dbbfeccabeaa385f1d729f4496e204a9a4c8ccbc146ffce46ab2c99dfaaed57b3d14b8f0abc0d0160e1be8575ae2c1ba5f8a6d0110ce39

    • C:\$Windows.~WS\Sources\SetupCore.dll

      Filesize

      1.9MB

      MD5

      446969e79d71cb6075f26349ac9345bc

      SHA1

      6efefe6037458e495a07dd86dc68bf788c638ca9

      SHA256

      26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3

      SHA512

      8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d

    • C:\$Windows.~WS\Sources\SetupHost.exe

      Filesize

      681KB

      MD5

      a0b1786c1a59ddac1024956723f58a73

      SHA1

      828d9cdb9cc2b6c49843422da49a14ebbf44d3d5

      SHA256

      59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2

      SHA512

      a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc

    • C:\$Windows.~WS\Sources\SetupMgr.dll

      Filesize

      678KB

      MD5

      5492a750f2c92ef126621fe0468b779a

      SHA1

      64e2d1fafbc008144df94cf3160319e0452d929e

      SHA256

      2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10

      SHA512

      a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35

    • C:\$Windows.~WS\Sources\SetupPlatform.dll

      Filesize

      6.1MB

      MD5

      10fe8f9a16755bf9ca3c5e94bfbf7178

      SHA1

      260c06924a55582d4f4dbdfe7d0bccdd00208f9b

      SHA256

      2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd

      SHA512

      c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110

    • C:\$Windows.~WS\Sources\WDSUTIL.dll

      Filesize

      232KB

      MD5

      66190a933f32c6521a08c6ea76ac0fe3

      SHA1

      3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de

      SHA256

      d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9

      SHA512

      fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe

    • C:\$Windows.~WS\Sources\WinDlp.dll

      Filesize

      1.1MB

      MD5

      6ca8df94e48799196c24b7274a48fdaa

      SHA1

      0cb34852203277829668db49afc5d25bd382f8ba

      SHA256

      0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7

      SHA512

      e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038

    • C:\$Windows.~WS\Sources\diagtrack.dll

      Filesize

      901KB

      MD5

      6c3f6a6bc5ede978e9dfe1acce386339

      SHA1

      3b7b51d762c593e92123f9365a896ed64ee26a7a

      SHA256

      b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c

      SHA512

      3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

    • C:\$Windows.~WS\Sources\setupplatform.cfg

      Filesize

      8KB

      MD5

      1405595a81a70c012ace6b3f618351b2

      SHA1

      9b398dbddef2a0c048790f6ca4be57899f0f71c0

      SHA256

      ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43

      SHA512

      a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d

    • C:\$Windows.~WS\Sources\unbcl.dll

      Filesize

      827KB

      MD5

      9aebdb604a0cec305568f2742cc6a3d2

      SHA1

      851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9

      SHA256

      82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93

      SHA512

      3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb

    • C:\$Windows.~WS\Sources\wdscore.dll

      Filesize

      193KB

      MD5

      8929e1ce63abc413ab88f31f3a45aba2

      SHA1

      49f37061d17cbe0482255aacfdabf10e67839ecb

      SHA256

      80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161

      SHA512

      3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5

    • C:\$Windows.~WS\Sources\wpx.dll

      Filesize

      1.0MB

      MD5

      c963819dd589b833b2fde3b9e08605f3

      SHA1

      72613ba4e8161fb8a6d0e0237e397285747a1e72

      SHA256

      b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6

      SHA512

      5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

      Filesize

      394KB

      MD5

      4357ad059ae203f9d2de05c4cb416c5e

      SHA1

      2c8e8b7778e4b798b431c59612d556ac364b4e1e

      SHA256

      1d37a3f2a9940672abd32e38996ca137ec141beff8fce02f1e5008d65159f75e

      SHA512

      52db1204c48377e517247cc01ba9f0f66ae66e25a6f2474f36f827690fbdf705f408a9d5dacdd0463a7eb138ab7e2fe46d4fa5dc5eed5902e04b1c975091505d

    • C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe

      Filesize

      18.2MB

      MD5

      db3fccad4aead91689d62822232d56bc

      SHA1

      c00ecaf95ed3b727aae581d41af99b5fbc762865

      SHA256

      aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4

      SHA512

      8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909

    • C:\Windows\CTS.exe

      Filesize

      71KB

      MD5

      66df4ffab62e674af2e75b163563fc0b

      SHA1

      dec8a197312e41eeb3cfef01cb2a443f0205cd6e

      SHA256

      075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

      SHA512

      1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25