Analysis Overview
SHA256
a6948279d46c237e099bc1adfee11b0640e692b1f1ce2fdf8df43058e211a711
Threat Level: Known bad
The file 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware was found to be: Known bad.
Malicious Activity Summary
Vidar
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Checks system information in the registry
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NTFS ADS
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 04:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 04:35
Reported
2024-06-29 04:38
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Vidar
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\DiagTrackRunner.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File opened for modification | C:\Windows\Logs\MoSetup\BlueBox.log | C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\$Windows.~WS\Sources\DiagTrackRunner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\$Windows.~WS\Sources\DiagTrackRunner.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\$Windows.~WS\Sources\SetupHost.Exe
"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\$Windows.~WS\Sources\DiagTrackRunner.exe
C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
Network
Files
\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
| MD5 | db3fccad4aead91689d62822232d56bc |
| SHA1 | c00ecaf95ed3b727aae581d41af99b5fbc762865 |
| SHA256 | aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4 |
| SHA512 | 8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\$Windows.~WS\Sources\SetupHost.exe
| MD5 | a0b1786c1a59ddac1024956723f58a73 |
| SHA1 | 828d9cdb9cc2b6c49843422da49a14ebbf44d3d5 |
| SHA256 | 59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2 |
| SHA512 | a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc |
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll
| MD5 | 9921c2a0d68a011620bd5916cc11e54d |
| SHA1 | e68c1c59600d28968dafadc300225b3ef8e4ebdc |
| SHA256 | 50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696 |
| SHA512 | 4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f |
C:\$Windows.~WS\Sources\SetupCore.dll
| MD5 | 446969e79d71cb6075f26349ac9345bc |
| SHA1 | 6efefe6037458e495a07dd86dc68bf788c638ca9 |
| SHA256 | 26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3 |
| SHA512 | 8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d |
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-1-1.dll
| MD5 | dbeac4d60d3985a086052d56fd84228e |
| SHA1 | 44a717d41388ce53d8e77fe1bb5e34ed4b72a851 |
| SHA256 | e5ce4dbda2c7bd078056cc17cc65714787cc50daa5e61de59fafa0d0223321b1 |
| SHA512 | 44b7c321f1cdaa0145c7f4766f6b4f90c6d86a9a3eb842d2a007f44b27d9b25efe89421820514080e2a45d99da4bddcb877fd754c01a4801840ea7b7228c62ba |
\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l2-1-0.dll
| MD5 | daec93c3ac8dca1807147d304879acb0 |
| SHA1 | 391cbc5e7cf40124f9640c1e7d6188e75af1b5f3 |
| SHA256 | 107cf218d9af2523fb24da10b381436bb858ac0f8b1012bc56bf088983b2e9db |
| SHA512 | ccc96c82b2cdcd36f56642cc6801de9d487ec593ccda9020efdc782cd3705e321367de7487080b5bdd10c89b9e6acf048a8f45a16c29caed5588bd6d1babe3d1 |
C:\$Windows.~WS\Sources\SetupPlatform.dll
| MD5 | 10fe8f9a16755bf9ca3c5e94bfbf7178 |
| SHA1 | 260c06924a55582d4f4dbdfe7d0bccdd00208f9b |
| SHA256 | 2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd |
| SHA512 | c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110 |
\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-1.dll
| MD5 | 75285f0badb10b3291d8f921e76506c0 |
| SHA1 | d769aba460a768cb065346d9a9c3263af1372160 |
| SHA256 | a5af7a42ea3688d6fb5ce9388e11276bbeb3afb2e893b9f66b1bc7c9059d8f99 |
| SHA512 | f40c8f6ede3010f523ab28f41ad38e41d1fd541554b59104a7d7468ddb004efe6bd690a9467be6461ade71ce7b10b120b8cacf6c429f37fef3d3fc8318c0284b |
\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-1-1.dll
| MD5 | 40baccd1e7f60085248785bea899c61e |
| SHA1 | d1e076fe8258ed5fb53707f639ceddaf7d5640fa |
| SHA256 | d59814bb8bbcff15e192aa600ac09f344ac089e95034258c1ea3748363132a59 |
| SHA512 | 4ad6b96b3aadfe5cccad0494e80258b709905349e82c858f27cbff4a871790bb7d0757a704f999cd86c9a788e44d286655940a81c8237e15aa2641e0ddf55930 |
\$Windows.~WS\Sources\wpx.dll
| MD5 | c963819dd589b833b2fde3b9e08605f3 |
| SHA1 | 72613ba4e8161fb8a6d0e0237e397285747a1e72 |
| SHA256 | b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6 |
| SHA512 | 5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1 |
\$Windows.~WS\Sources\unbcl.dll
| MD5 | 9aebdb604a0cec305568f2742cc6a3d2 |
| SHA1 | 851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9 |
| SHA256 | 82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93 |
| SHA512 | 3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb |
C:\$Windows.~WS\Sources\setupplatform.cfg
| MD5 | 1405595a81a70c012ace6b3f618351b2 |
| SHA1 | 9b398dbddef2a0c048790f6ca4be57899f0f71c0 |
| SHA256 | ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43 |
| SHA512 | a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d |
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l4-1-0.dll
| MD5 | 96fe4353f44be47fb877366d5f33c172 |
| SHA1 | ddea638bd1694b2eda295a0f508e4a857f8450f2 |
| SHA256 | 904371b86f56414ff70d3d7a4ad878b70f8b9fd278e2b97a82a26bb13b89a9f4 |
| SHA512 | 2d0a0e97ef5eba8701446891dd669735540ef185e3f8fb14053243bf4b9163e9354e5f905bd26d1910a80d8780cfe2dcc68f6f2ad9bf3275bb7efb30eeafa464 |
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-1.dll
| MD5 | 4e2acbaa772797a0f86e15572fa44f84 |
| SHA1 | 7f1846f886a27716ca918c65fb87458bd49fcfee |
| SHA256 | 70b4b4c427f235b2c2c7d49b3aff7c5a799b7a9616e7a11d2de5d78156665ba7 |
| SHA512 | b8143b54cf966f42abf9e2b083cd85aa1f7411fa4ceb2b8460946d708322ba2b81b93be771d8d04b027d0e22b13e68fa71bb53b6c2f6c8b3c0f5941d423d38b4 |
\$Windows.~WS\Sources\WinDlp.dll
| MD5 | 6ca8df94e48799196c24b7274a48fdaa |
| SHA1 | 0cb34852203277829668db49afc5d25bd382f8ba |
| SHA256 | 0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7 |
| SHA512 | e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038 |
\$Windows.~WS\Sources\SetupMgr.dll
| MD5 | 5492a750f2c92ef126621fe0468b779a |
| SHA1 | 64e2d1fafbc008144df94cf3160319e0452d929e |
| SHA256 | 2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10 |
| SHA512 | a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35 |
\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-1.dll
| MD5 | 8cd60551eec672a732db658555c051d9 |
| SHA1 | f675ee4b04a5a3afb758ff89e077dd401e192379 |
| SHA256 | 5d0ba298919d78b726c625c7e6ad31f2632e095f7c79ac08f0ff25f8e15a4295 |
| SHA512 | d3950f90d50e90b2ba62fa1028ae6226c8fe2ee8c0517f769dafa3cc4ba81f38a50ce1676be3eb40669d7ea830752a331975867fb117937b7fffd21c2845b313 |
\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dll
| MD5 | cfd98d71d80f41c3f155e573b1ffdda1 |
| SHA1 | 966336882e88ca6a311c5e9948b4bb22a815bd7f |
| SHA256 | 1b202df705c429d3d1be26f71274743f0859db81aedead53bf2624d35899294d |
| SHA512 | 16d266bd3dc858bbc37fa95ad7f0a60ce654fbcf1f5c9b3f3e0abc1f7b95e86f2a04a9b0e1d98cae3e616af2129985f92aea7595aeeef898eae399e4669f44ff |
\$Windows.~WS\Sources\wdscore.dll
| MD5 | 8929e1ce63abc413ab88f31f3a45aba2 |
| SHA1 | 49f37061d17cbe0482255aacfdabf10e67839ecb |
| SHA256 | 80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161 |
| SHA512 | 3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5 |
memory/2460-109-0x0000000002AA0000-0x0000000002AE9000-memory.dmp
memory/2460-110-0x0000000002AA0000-0x0000000002AE9000-memory.dmp
C:\$Windows.~WS\Sources\WDSUTIL.dll
| MD5 | 66190a933f32c6521a08c6ea76ac0fe3 |
| SHA1 | 3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de |
| SHA256 | d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9 |
| SHA512 | fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe |
\$Windows.~WS\Sources\DiagTrackRunner.exe
| MD5 | 76f30a1e149792d2542a253b920cbef6 |
| SHA1 | 9040e0873df5cc2a64b850d1b8159b77528ba62c |
| SHA256 | 488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159 |
| SHA512 | ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84 |
C:\$Windows.~WS\Sources\diagtrack.dll
| MD5 | 6c3f6a6bc5ede978e9dfe1acce386339 |
| SHA1 | 3b7b51d762c593e92123f9365a896ed64ee26a7a |
| SHA256 | b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c |
| SHA512 | 3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff |
memory/2460-132-0x0000000002AA0000-0x0000000002AE9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 04:35
Reported
2024-06-29 04:38
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Vidar
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\DiagTrackRunner.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\DiagTrackRunner.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File opened for modification | C:\Windows\Logs\MoSetup\BlueBox.log | C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe | N/A |
| N/A | N/A | C:\$Windows.~WS\Sources\SetupHost.Exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection | C:\$Windows.~WS\Sources\DiagTrackRunner.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"
C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\$Windows.~WS\Sources\SetupHost.Exe
"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\$Windows.~WS\Sources\DiagTrackRunner.exe
C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.microsoft.com | udp |
| GB | 2.21.189.207:443 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
| MD5 | db3fccad4aead91689d62822232d56bc |
| SHA1 | c00ecaf95ed3b727aae581d41af99b5fbc762865 |
| SHA256 | aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4 |
| SHA512 | 8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909 |
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 4357ad059ae203f9d2de05c4cb416c5e |
| SHA1 | 2c8e8b7778e4b798b431c59612d556ac364b4e1e |
| SHA256 | 1d37a3f2a9940672abd32e38996ca137ec141beff8fce02f1e5008d65159f75e |
| SHA512 | 52db1204c48377e517247cc01ba9f0f66ae66e25a6f2474f36f827690fbdf705f408a9d5dacdd0463a7eb138ab7e2fe46d4fa5dc5eed5902e04b1c975091505d |
C:\$Windows.~WS\Sources\SetupHost.exe
| MD5 | a0b1786c1a59ddac1024956723f58a73 |
| SHA1 | 828d9cdb9cc2b6c49843422da49a14ebbf44d3d5 |
| SHA256 | 59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2 |
| SHA512 | a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc |
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll
| MD5 | 9921c2a0d68a011620bd5916cc11e54d |
| SHA1 | e68c1c59600d28968dafadc300225b3ef8e4ebdc |
| SHA256 | 50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696 |
| SHA512 | 4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f |
C:\$Windows.~WS\Sources\wdscore.dll
| MD5 | 8929e1ce63abc413ab88f31f3a45aba2 |
| SHA1 | 49f37061d17cbe0482255aacfdabf10e67839ecb |
| SHA256 | 80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161 |
| SHA512 | 3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5 |
C:\$Windows.~WS\Sources\SetupPlatform.dll
| MD5 | 10fe8f9a16755bf9ca3c5e94bfbf7178 |
| SHA1 | 260c06924a55582d4f4dbdfe7d0bccdd00208f9b |
| SHA256 | 2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd |
| SHA512 | c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110 |
C:\$Windows.~WS\Sources\SetupCore.dll
| MD5 | 446969e79d71cb6075f26349ac9345bc |
| SHA1 | 6efefe6037458e495a07dd86dc68bf788c638ca9 |
| SHA256 | 26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3 |
| SHA512 | 8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d |
C:\$Windows.~WS\Sources\wpx.dll
| MD5 | c963819dd589b833b2fde3b9e08605f3 |
| SHA1 | 72613ba4e8161fb8a6d0e0237e397285747a1e72 |
| SHA256 | b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6 |
| SHA512 | 5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1 |
C:\$Windows.~WS\Sources\unbcl.dll
| MD5 | 9aebdb604a0cec305568f2742cc6a3d2 |
| SHA1 | 851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9 |
| SHA256 | 82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93 |
| SHA512 | 3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb |
C:\$Windows.~WS\Sources\setupplatform.cfg
| MD5 | 1405595a81a70c012ace6b3f618351b2 |
| SHA1 | 9b398dbddef2a0c048790f6ca4be57899f0f71c0 |
| SHA256 | ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43 |
| SHA512 | a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d |
C:\$Windows.~WS\Sources\WinDlp.dll
| MD5 | 6ca8df94e48799196c24b7274a48fdaa |
| SHA1 | 0cb34852203277829668db49afc5d25bd382f8ba |
| SHA256 | 0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7 |
| SHA512 | e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038 |
C:\$Windows.~WS\Sources\SetupMgr.dll
| MD5 | 5492a750f2c92ef126621fe0468b779a |
| SHA1 | 64e2d1fafbc008144df94cf3160319e0452d929e |
| SHA256 | 2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10 |
| SHA512 | a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35 |
C:\$Windows.~WS\Sources\WDSUTIL.dll
| MD5 | 66190a933f32c6521a08c6ea76ac0fe3 |
| SHA1 | 3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de |
| SHA256 | d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9 |
| SHA512 | fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe |
C:\$Windows.~WS\Sources\diagtrack.dll
| MD5 | 6c3f6a6bc5ede978e9dfe1acce386339 |
| SHA1 | 3b7b51d762c593e92123f9365a896ed64ee26a7a |
| SHA256 | b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c |
| SHA512 | 3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff |
C:\$Windows.~WS\Sources\DiagTrackRunner.exe
| MD5 | 76f30a1e149792d2542a253b920cbef6 |
| SHA1 | 9040e0873df5cc2a64b850d1b8159b77528ba62c |
| SHA256 | 488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159 |
| SHA512 | ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84 |
C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl
| MD5 | 4bc291b5d6ce45bc082e47bacb49c3ff |
| SHA1 | c5ce9db96d10e0f50677704dcb7b524795a5c204 |
| SHA256 | 7ebd88beb9c9eb0164850a93a33078d692a93a25a02b51bc0ad92ad14164ee29 |
| SHA512 | 0b54ed8a83a50caba8dbbfeccabeaa385f1d729f4496e204a9a4c8ccbc146ffce46ab2c99dfaaed57b3d14b8f0abc0d0160e1be8575ae2c1ba5f8a6d0110ce39 |