Malware Analysis Report

2025-01-03 09:34

Sample ID 240604-c188eaba35
Target 2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware
SHA256 a5c5fe498a1e31a91dea78f9f203475ccb9b620b0155ba7924bf492055ff9d2d
Tags
bootkit persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5c5fe498a1e31a91dea78f9f203475ccb9b620b0155ba7924bf492055ff9d2d

Threat Level: Known bad

The file 2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware was found to be: Known bad.

Malicious Activity Summary

bootkit persistence upx

Detects executables packed with VMProtect.

UPX dump on OEP (original entry point)

Detects executables packed with VMProtect.

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 02:33

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 02:33

Reported

2024-06-04 02:36

Platform

win7-20240221-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
File created C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe = "10000" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 qifu-api.baidubce.com udp
CN 182.61.200.153:443 qifu-api.baidubce.com tcp
CN 39.156.66.4:443 qifu-api.baidubce.com tcp
CN 110.242.68.112:443 qifu-api.baidubce.com tcp
CN 111.206.209.154:443 qifu-api.baidubce.com tcp
CN 112.34.112.38:443 qifu-api.baidubce.com tcp
CN 124.237.176.106:443 qifu-api.baidubce.com tcp
US 8.8.8.8:53 get.baibaoyun.com udp
CN 45.117.8.216:80 get.baibaoyun.com tcp

Files

memory/1500-1-0x00000000035F0000-0x0000000003B2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1500f768e5b\_.bmp

MD5 98bf6ad36aedcbb35ea5544f8a98dcb7
SHA1 d25c1994126310144f70aa69110fe602f96b7af7
SHA256 cc307b058485bd3f237a3a32419d02eca4bfc93e8e8b18ffe8544d95c28d99c2
SHA512 c36a34ef51eb2867124e23790e57a4ca05983a694f7fafad8b5e3fdcb627eded7fe148390fc84032e6cf8b9c46578680e56af269d5d0bdcd0e1863070a6f3231

C:\Users\Admin\AppData\Local\Temp\1500f768e5b\__.bmp

MD5 c4315ec0f35457fe11bb5eaf262b1720
SHA1 034c087abc82b2d709d6a43075856619e33b8440
SHA256 baa6bd72934642df6697479be1d96f17b8b370e631e4b8dfb0bc321fd6df46e2
SHA512 bcc945a8d00ee39a4e4634132595ebae626bda1d3fc1178a518c7e8ad05be8bc7615ea70008922cf3c3ece8692e8dbb2273be2e71eaf68bceaa6825dd9f4af01

C:\Users\Admin\AppData\Local\Temp\1500f768e5b\__1.bmp

MD5 d4856280e621f0ab531338d2ae21d984
SHA1 e3eceffdfbd5f3bbc6dbc77f62732cfc0fcd3beb
SHA256 0a88c7dfc78f2e24ef64f1de3f38f969cd3f3a5000aee5351256d83e409f61c1
SHA512 afa475e2dd938f3d8692c8a0234f1c0532f827761d4f693bf9378f8be80401ddaaefb8e3cd3323bc2ef6b8d49444b9e185f335c700e512bf1e1b5a2a07a6cc58

C:\Users\Admin\AppData\Local\Temp\1500f768e5b\__.bmp

MD5 462f550aba03212a8317887f403073f9
SHA1 52e72581ea2fbe2b69e3deb84e35cfde3a698bd8
SHA256 c6060a4127f85c0f557fdf0b28a2a4221bf36f04a834edec1aadc1d54e1fd36d
SHA512 960dd94c7c4ca8649ebae7bde94a87b6b4761898e834b75ca80c0c3043c479c0e11694d68aa940c6f4c4fff88e0e4617c681e61f80bae7aa661804cdf0133b44

\Users\Admin\AppData\Local\Temp\1500f768e5b\TLib.dll

MD5 0fdc79cafb9898d0ef79db7eec184f03
SHA1 db3a53eca9ade3f473776fd473f7cbe8751c969b
SHA256 22a25e408bb431ad311a8f8ea5c205ec228652df8963701e614b08e6b327b8fd
SHA512 fd76fe4021677382039c4e4b75fdc76e63cb6f2259ffbbecf477fe8f5b207c8fe8cd1cb8344f6c10b106c5ef2798b2a5ec9fe729c4524570de23e3fcdb239589

\Users\Admin\AppData\Local\Temp\1500f768e5b\TApi.dll

MD5 a03db8a3622fa9f6ff51765ca145e5ad
SHA1 9436684c2fea17c9a0b704872f79eb7257d94bb8
SHA256 fe3ba07a52618342e47087c73ee7e7bfc0ea841b8f5cb458afc1ef36ad022707
SHA512 74dc48ccadfbe980d4a3e4c47195c63050dc90067d8048898fd48dc8fec9358c58d127e90a3f23080a4318f0e2f59bc40d9f1814c0ca2b058f223af34d33dc42

\Users\Admin\AppData\Local\Temp\1500f768e5b\t_baibaoyun_win32.dll

MD5 430b269ba6ae3ae72b7c76848fc3dd8c
SHA1 9c1e62f6ccfd0661ccc5e8b95abff394fca4052e
SHA256 2f422a4ed4bec519c8840436cabaffe2ef4244630829ba1ebb3b806a871cb26f
SHA512 61ac557cc1169ceb0b83a2ef41d4e697efee0fcd3472d2a9bb0f04199430698c7a162be2c607bde0a6bb24ec68fcb3b6faebd1bfef264846250b2789dd9cee2a

memory/1500-223-0x0000000000EC0000-0x000000000173D000-memory.dmp

C:\Windows\SysWOW64\dm.dll

MD5 c578b6820bda5689940560147c6e5ffc
SHA1 922e50d89c9c44bdc205ef17aa57212b64e58852
SHA256 3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389
SHA512 9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

memory/1500-232-0x0000000010000000-0x0000000010176000-memory.dmp

memory/1500-237-0x0000000010000000-0x0000000010176000-memory.dmp

memory/1500-239-0x0000000003F40000-0x0000000003F4A000-memory.dmp

memory/1500-238-0x0000000003F40000-0x0000000003F4A000-memory.dmp

memory/1500-240-0x0000000010000000-0x0000000010176000-memory.dmp

memory/1500-241-0x0000000000EC0000-0x000000000173D000-memory.dmp

memory/1500-243-0x0000000003F40000-0x0000000003F4A000-memory.dmp

memory/1500-244-0x0000000003F40000-0x0000000003F4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 02:33

Reported

2024-06-04 02:36

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
File opened for modification C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe = "10000" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 qifu-api.baidubce.com udp
CN 39.156.66.4:443 qifu-api.baidubce.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 110.242.68.112:443 qifu-api.baidubce.com tcp
CN 111.206.209.154:443 qifu-api.baidubce.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
CN 112.34.112.38:443 qifu-api.baidubce.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
CN 124.237.176.106:443 qifu-api.baidubce.com tcp
CN 182.61.62.106:443 qifu-api.baidubce.com tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 get.baibaoyun.com udp
CN 45.117.8.216:80 get.baibaoyun.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\4888e582630\__.bmp

MD5 46c8704a8bea749d676eb90dc5a0f815
SHA1 eb5273b38ac0201bf1224245a1a3afe2d084a7bf
SHA256 c7ab145e7154c3bbcbdc93c90d5f54dd287a000728ee2acfdf3d5142177ebd3e
SHA512 25d7cb87c795f095d2772b7cc42baca256fafbdf403125b492269c906d691e1f4315a305217557dd2402b1456da6b4a2720abd53fd9abe532bd74d2d11166a64

C:\Users\Admin\AppData\Local\Temp\4888e582630\_.bmp

MD5 a3dc01997eadb6b6cd644aa94a094a4a
SHA1 596a1f64f7c36f98a804d437c0503ff95e089a13
SHA256 aa6802e771b59b1b1d79009acf36162cbc115260ad3f91031422237c98287e5d
SHA512 4f4dc13857d9e554f888c05339aefdf22565acf4cbab7ebc6d4dd0be5b0b7b66a2b174257802c9d8fd4fd3c8451b330e8b6e19faed90fdc09ed80f98598a304a

C:\Users\Admin\AppData\Local\Temp\4888e582630\_.bmp

MD5 e0d3ed5e1e56fb11bfcfe6bd945c206b
SHA1 8ba212b241655110ed394be25e355c7335c56262
SHA256 f1e4ca14df25cf1d6313d38f461e9dcedebaa889ade70a7e8a404193f94c23c5
SHA512 efd658174054a9b80217135e770d830ee51eb3942d474e91bd52137ab091f1d354b4c0d48efb7eccf47bd8b5c5cd8c56e543ac68e7b9c9474ff46c23ade9aa34

C:\Users\Admin\AppData\Local\Temp\4888e582630\__.bmp

MD5 2aae8d9a47e732d36dd4985c98aa7eaa
SHA1 13417613eb03c042863f51e0e3c438b936074fcd
SHA256 bb40e6f90d70632f80eea20d1f53d92c3cd46767cf37a70bd83a397ee3c66b78
SHA512 8ec40d3710615d05c49853bdf40c7ef3560ad26c5dbbfde7be38bd0c667f6f1d408c2e3d975549bf2190791f5d3722c01647d2e5dcfd8d83d870c43858e81010

C:\Users\Admin\AppData\Local\Temp\4888e582630\_.bmp

MD5 98bf6ad36aedcbb35ea5544f8a98dcb7
SHA1 d25c1994126310144f70aa69110fe602f96b7af7
SHA256 cc307b058485bd3f237a3a32419d02eca4bfc93e8e8b18ffe8544d95c28d99c2
SHA512 c36a34ef51eb2867124e23790e57a4ca05983a694f7fafad8b5e3fdcb627eded7fe148390fc84032e6cf8b9c46578680e56af269d5d0bdcd0e1863070a6f3231

C:\Users\Admin\AppData\Local\Temp\4888e582630\__.bmp

MD5 c4315ec0f35457fe11bb5eaf262b1720
SHA1 034c087abc82b2d709d6a43075856619e33b8440
SHA256 baa6bd72934642df6697479be1d96f17b8b370e631e4b8dfb0bc321fd6df46e2
SHA512 bcc945a8d00ee39a4e4634132595ebae626bda1d3fc1178a518c7e8ad05be8bc7615ea70008922cf3c3ece8692e8dbb2273be2e71eaf68bceaa6825dd9f4af01

C:\Users\Admin\AppData\Local\Temp\4888e582630\TLib.dll

MD5 0fdc79cafb9898d0ef79db7eec184f03
SHA1 db3a53eca9ade3f473776fd473f7cbe8751c969b
SHA256 22a25e408bb431ad311a8f8ea5c205ec228652df8963701e614b08e6b327b8fd
SHA512 fd76fe4021677382039c4e4b75fdc76e63cb6f2259ffbbecf477fe8f5b207c8fe8cd1cb8344f6c10b106c5ef2798b2a5ec9fe729c4524570de23e3fcdb239589

C:\Users\Admin\AppData\Local\Temp\4888e582630\TApi.dll

MD5 a03db8a3622fa9f6ff51765ca145e5ad
SHA1 9436684c2fea17c9a0b704872f79eb7257d94bb8
SHA256 fe3ba07a52618342e47087c73ee7e7bfc0ea841b8f5cb458afc1ef36ad022707
SHA512 74dc48ccadfbe980d4a3e4c47195c63050dc90067d8048898fd48dc8fec9358c58d127e90a3f23080a4318f0e2f59bc40d9f1814c0ca2b058f223af34d33dc42

C:\Users\Admin\AppData\Local\Temp\4888e582630\t_baibaoyun_win32.dll

MD5 430b269ba6ae3ae72b7c76848fc3dd8c
SHA1 9c1e62f6ccfd0661ccc5e8b95abff394fca4052e
SHA256 2f422a4ed4bec519c8840436cabaffe2ef4244630829ba1ebb3b806a871cb26f
SHA512 61ac557cc1169ceb0b83a2ef41d4e697efee0fcd3472d2a9bb0f04199430698c7a162be2c607bde0a6bb24ec68fcb3b6faebd1bfef264846250b2789dd9cee2a

memory/4888-224-0x000000007719D000-0x000000007719E000-memory.dmp

C:\Windows\SysWOW64\dm.dll

MD5 c578b6820bda5689940560147c6e5ffc
SHA1 922e50d89c9c44bdc205ef17aa57212b64e58852
SHA256 3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389
SHA512 9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

memory/4888-233-0x0000000010000000-0x0000000010176000-memory.dmp

memory/4888-241-0x0000000010000000-0x0000000010176000-memory.dmp

memory/4888-242-0x0000000010000000-0x0000000010176000-memory.dmp