a6fe598c93859bf59f326df3179646e5f726d7b733f86e61ec837ba94b8008a9

Analysis

max time kernel
123s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 00:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe
Size

735KB
MD5

11784014a6dded01d4f788c62c497462
SHA1

b0c1bf5f33d6c77fdb9a2b2799798bca61bb38cb
SHA256

a6fe598c93859bf59f326df3179646e5f726d7b733f86e61ec837ba94b8008a9
SHA512

7296947eb245fc0c959339b4655d3946c705d49cf9fd099704a9d22d85e3da8e0d595176e7c1e26f8c4a5859454519fd95981b7f1bc78d78404994ac58581da3
SSDEEP

12288:yxT5HJMAUpRlsEWgd/F71FTKu/BH/jxarzv1qYo:8lHJ4pZR7CuZfErb1q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	15A3.tmp

Loads dropped DLL 2 IoCs

pid	Process
956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe
956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	15A3.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	15A3.tmp
File created	C:\Windows\SysWOW64\rdvgumd32.dll	15A3.tmp
File created	C:\Windows\SysWOW64\setupSNK.exe	15A3.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	15A3.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	15A3.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	15A3.tmp
File created	C:\Windows\SysWOW64\ir50_32.dll	15A3.tmp
File created	C:\Windows\SysWOW64\msltus40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	15A3.tmp
File created	C:\Windows\SysWOW64\d3dim700.dll	15A3.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	15A3.tmp
File created	C:\Windows\SysWOW64\explorer.exe	15A3.tmp
File created	C:\Windows\SysWOW64\ir41_32.ax	15A3.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\regedit.exe	15A3.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll	15A3.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	15A3.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	15A3.tmp
File created	C:\Windows\SysWOW64\mstext40.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	15A3.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll	15A3.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll	15A3.tmp
File created	C:\Windows\SysWOW64\audiodev.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	15A3.tmp
File created	C:\Windows\SysWOW64\dmscript.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	15A3.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	15A3.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	15A3.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	15A3.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	15A3.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	15A3.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\msrd2x40.dll	15A3.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	15A3.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	15A3.tmp
File created	C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	15A3.tmp
File created	C:\Windows\SysWOW64\ir32_32.dll	15A3.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\dplaysvr.exe	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\FM20.DLL	15A3.tmp
File created	C:\Windows\SysWOW64\msjter40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	15A3.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	15A3.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll	15A3.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	15A3.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	15A3.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	15A3.tmp
File created	C:\Windows\SysWOW64\msexcl40.dll	15A3.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	15A3.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL	15A3.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCVDT.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\VBAJET32.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolap100.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WWLIB.DLL	15A3.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	15A3.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	15A3.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOCFUIUTILITIESDLL.DLL	15A3.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ANALYS32.XLL	15A3.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PSTPRX32.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia100.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SSGEN.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSStr32.dll	15A3.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIMG.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLNOTE.FAE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TaxonomyControl.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DLGSETP.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IMPMAIL.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\ColleagueImport.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONPPTAddin.dll	15A3.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\THOCRAPI.DLL	15A3.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	15A3.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-atl_31bf3856ad364e35_6.1.7600.16385_none_aaf695e9bb060258_atl.dll_0c7220db	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_720e868d9b0b6a44\WerFaultSecure.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-jsprofilerui_31bf3856ad364e35_8.0.7601.17514_none_0fc0aacaa3770915\jsprofilerui.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ents-mdac-oledb-dll_31bf3856ad364e35_6.1.7601.17514_none_f43222265b7c8a93\oledb32.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..mponents-jetintlerr_31bf3856ad364e35_6.1.7600.16385_none_0f472a3521bdcfd4\mswdat10.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-usp_31bf3856ad364e35_6.1.7601.17514_none_af01e2f9b6be7939\usp10.dll	15A3.tmp
File created	C:\Windows\winsxs\amd64_igdlh.inf_31bf3856ad364e35_6.1.7600.16385_none_f3e7064ea3c09a9a\igd10umd32.dll	15A3.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1_netbtugc.exe_825f4f74	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-c..us-runtime-stclient_31bf3856ad364e35_6.1.7600.16385_none_a9649d04c661942c\stclient.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-htmlconverter_31bf3856ad364e35_8.0.7601.17514_none_87da61075c9f17a8\html.iec	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-osk_31bf3856ad364e35_6.1.7600.16385_none_aa93298fbb4246f2\osk.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ion-twaincomponents_31bf3856ad364e35_6.1.7601.17514_none_8b399e33ba72bed9\twunk_32.exe	15A3.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_257ada4f467a7f64_oleaut32.dll_730e3d41	15A3.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e_scecli.dll_149e0f7b	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-core_31bf3856ad364e35_6.1.7601.17514_none_eb2fd71ce868a93e\msoeacct.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msmq-installer_31bf3856ad364e35_6.1.7601.17514_none_7d190f1e5e76acbc\mqsec.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-n..ion_service_runtime_31bf3856ad364e35_6.1.7601.17514_none_fb08448fa0c85c23\iaspolcy.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-credui_31bf3856ad364e35_6.1.7601.17514_none_dd3eb6aced2f8d13\credui.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_5d772bc73c15dfe5\crypt32.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-t..esframework-softkbd_31bf3856ad364e35_6.1.7600.16385_none_b28674d0b8799858\softkbd.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-opengl-mf_31bf3856ad364e35_6.1.7600.16385_none_cb31c38d7718c1a4\glmf32.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_782d737490d72da3\regsvr32.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_247621f7aa7542ff\ImagingDevices.exe	15A3.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.1.7601.17514_none_74a0e9133d491d65\AcXtrnal.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-homegroup-controlpanel_31bf3856ad364e35_6.1.7601.17514_none_b83c28f41f93f405\hgcpl.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-rasgetconnectedwizard_31bf3856ad364e35_6.1.7600.16385_none_39ea34b42d8bab89\rasgcw.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\ATL90.dll	15A3.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll	15A3.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-datacontrol_31bf3856ad364e35_8.0.7600.16385_none_950b0c1b653d65c3\tdc.ocx	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\SxsMigPlugin.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.1.7601.17514_none_a2fcd94e8fba36f5\RMActivate.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux-sppcc_31bf3856ad364e35_6.1.7600.16385_none_91f3d310d6b20a5f\sppcc.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16385_none_ca66ddfc9862f744\InkEd.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wmadmoe_31bf3856ad364e35_6.1.7600.16385_none_8696c88e7f02ab7b\WMADMOE.DLL	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wpd-legacywmdmapi_31bf3856ad364e35_6.1.7600.16385_none_5980e766d0fe239f\mswmdm.dll	15A3.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.OracleClient.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-components-jetcore_31bf3856ad364e35_6.1.7600.16385_none_046511bf090691ab\msjet40.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-k..eo-capture-plug-ins_31bf3856ad364e35_6.1.7601.17514_none_f77206649edabee9\Kswdmcap.ax	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-controls_31bf3856ad364e35_8.0.7601.17514_none_e6a3090d2536ca55\licmgr10.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-f12diagnosticstap_31bf3856ad364e35_11.2.9600.16428_none_3861e42cd41507eb\DiagnosticsTap.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-diskmanagement_31bf3856ad364e35_6.1.7600.16385_none_016e0bdad110d4d1\dmdlgs.dll	15A3.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155\rasmxs.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-authorizationmanagerui_31bf3856ad364e35_6.1.7601.17514_none_23e160885de79241\azroleui.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.17514_none_64655b7c61c841cb\sqmapi.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..nents-mdac-sqlunirl_31bf3856ad364e35_6.1.7600.16385_none_3bed0e7fdd8193ca\sqlunirl.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..terface-remoting-ps_31bf3856ad364e35_6.1.7600.16385_none_ec4c512325381e78\msdaps.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_ef38a8d0d05cc2c7\IMJPDADM.EXE	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_190fa02cb006154d\msfeedssync.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\MediaPlayer-DLMigPlugin.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_f0a5d809ca926e4f\makecab.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ribbons_31bf3856ad364e35_6.1.7601.17514_none_8abc4ded863e0452\Ribbons.scr	15A3.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_c79aef32ab85d92b\cmmon32.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-international-core_31bf3856ad364e35_6.1.7601.17514_none_ebb1ce7438031941\MuiUnattend.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-azman_31bf3856ad364e35_6.1.7601.17514_none_585e832110fb75a4\azroles.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-warp10_31bf3856ad364e35_7.1.7601.16492_none_dd831f034017b66d\d3d10warp.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-pdm-configuration_31bf3856ad364e35_11.2.9600.16428_none_d6876629731ce419\PDMSetup.exe	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-migration_31bf3856ad364e35_6.1.7601.17514_none_e02729035a3379c1\MediaPlayer-DLMigPlugin.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\mspatcha.dll	15A3.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll	15A3.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_eb9dc1c34def72a3_ifsutil.dll_7d6905f6	15A3.tmp
File created	C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\SearchProtocolHost.exe	15A3.tmp
File created	C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\tquery.dll	15A3.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-com-dtc-management_31bf3856ad364e35_6.1.7600.16385_none_49a47881c52ef4d2\msdtcuiu.dll	15A3.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe
956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe
956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1800	956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe	29
PID 956 wrote to memory of 1800	956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe	29
PID 956 wrote to memory of 1800	956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe	29
PID 956 wrote to memory of 1800	956	2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_11784014a6dded01d4f788c62c497462_bkransomware.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\15A3.tmp
  C:\Users\Admin\AppData\Local\Temp\15A3.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15A3.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/956-1-0x0000000000240000-0x0000000000288000-memory.dmp

Filesize
288KB

Download
memory/956-0-0x0000000000240000-0x0000000000288000-memory.dmp

Filesize
288KB

Download