Analysis Overview
SHA256
a5c5fe498a1e31a91dea78f9f203475ccb9b620b0155ba7924bf492055ff9d2d
Threat Level: Known bad
The file 2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with VMProtect.
UPX dump on OEP (original entry point)
Detects executables packed with VMProtect.
Loads dropped DLL
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 02:33
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 02:33
Reported
2024-06-04 02:36
Platform
win7-20240221-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dm.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| File created | C:\Windows\SysWOW64\dm.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | qifu-api.baidubce.com | udp |
| CN | 182.61.200.153:443 | qifu-api.baidubce.com | tcp |
| CN | 39.156.66.4:443 | qifu-api.baidubce.com | tcp |
| CN | 110.242.68.112:443 | qifu-api.baidubce.com | tcp |
| CN | 111.206.209.154:443 | qifu-api.baidubce.com | tcp |
| CN | 112.34.112.38:443 | qifu-api.baidubce.com | tcp |
| CN | 124.237.176.106:443 | qifu-api.baidubce.com | tcp |
| US | 8.8.8.8:53 | get.baibaoyun.com | udp |
| CN | 45.117.8.216:80 | get.baibaoyun.com | tcp |
Files
memory/1500-1-0x00000000035F0000-0x0000000003B2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1500f768e5b\_.bmp
| MD5 | 98bf6ad36aedcbb35ea5544f8a98dcb7 |
| SHA1 | d25c1994126310144f70aa69110fe602f96b7af7 |
| SHA256 | cc307b058485bd3f237a3a32419d02eca4bfc93e8e8b18ffe8544d95c28d99c2 |
| SHA512 | c36a34ef51eb2867124e23790e57a4ca05983a694f7fafad8b5e3fdcb627eded7fe148390fc84032e6cf8b9c46578680e56af269d5d0bdcd0e1863070a6f3231 |
C:\Users\Admin\AppData\Local\Temp\1500f768e5b\__.bmp
| MD5 | c4315ec0f35457fe11bb5eaf262b1720 |
| SHA1 | 034c087abc82b2d709d6a43075856619e33b8440 |
| SHA256 | baa6bd72934642df6697479be1d96f17b8b370e631e4b8dfb0bc321fd6df46e2 |
| SHA512 | bcc945a8d00ee39a4e4634132595ebae626bda1d3fc1178a518c7e8ad05be8bc7615ea70008922cf3c3ece8692e8dbb2273be2e71eaf68bceaa6825dd9f4af01 |
C:\Users\Admin\AppData\Local\Temp\1500f768e5b\__1.bmp
| MD5 | d4856280e621f0ab531338d2ae21d984 |
| SHA1 | e3eceffdfbd5f3bbc6dbc77f62732cfc0fcd3beb |
| SHA256 | 0a88c7dfc78f2e24ef64f1de3f38f969cd3f3a5000aee5351256d83e409f61c1 |
| SHA512 | afa475e2dd938f3d8692c8a0234f1c0532f827761d4f693bf9378f8be80401ddaaefb8e3cd3323bc2ef6b8d49444b9e185f335c700e512bf1e1b5a2a07a6cc58 |
C:\Users\Admin\AppData\Local\Temp\1500f768e5b\__.bmp
| MD5 | 462f550aba03212a8317887f403073f9 |
| SHA1 | 52e72581ea2fbe2b69e3deb84e35cfde3a698bd8 |
| SHA256 | c6060a4127f85c0f557fdf0b28a2a4221bf36f04a834edec1aadc1d54e1fd36d |
| SHA512 | 960dd94c7c4ca8649ebae7bde94a87b6b4761898e834b75ca80c0c3043c479c0e11694d68aa940c6f4c4fff88e0e4617c681e61f80bae7aa661804cdf0133b44 |
\Users\Admin\AppData\Local\Temp\1500f768e5b\TLib.dll
| MD5 | 0fdc79cafb9898d0ef79db7eec184f03 |
| SHA1 | db3a53eca9ade3f473776fd473f7cbe8751c969b |
| SHA256 | 22a25e408bb431ad311a8f8ea5c205ec228652df8963701e614b08e6b327b8fd |
| SHA512 | fd76fe4021677382039c4e4b75fdc76e63cb6f2259ffbbecf477fe8f5b207c8fe8cd1cb8344f6c10b106c5ef2798b2a5ec9fe729c4524570de23e3fcdb239589 |
\Users\Admin\AppData\Local\Temp\1500f768e5b\TApi.dll
| MD5 | a03db8a3622fa9f6ff51765ca145e5ad |
| SHA1 | 9436684c2fea17c9a0b704872f79eb7257d94bb8 |
| SHA256 | fe3ba07a52618342e47087c73ee7e7bfc0ea841b8f5cb458afc1ef36ad022707 |
| SHA512 | 74dc48ccadfbe980d4a3e4c47195c63050dc90067d8048898fd48dc8fec9358c58d127e90a3f23080a4318f0e2f59bc40d9f1814c0ca2b058f223af34d33dc42 |
\Users\Admin\AppData\Local\Temp\1500f768e5b\t_baibaoyun_win32.dll
| MD5 | 430b269ba6ae3ae72b7c76848fc3dd8c |
| SHA1 | 9c1e62f6ccfd0661ccc5e8b95abff394fca4052e |
| SHA256 | 2f422a4ed4bec519c8840436cabaffe2ef4244630829ba1ebb3b806a871cb26f |
| SHA512 | 61ac557cc1169ceb0b83a2ef41d4e697efee0fcd3472d2a9bb0f04199430698c7a162be2c607bde0a6bb24ec68fcb3b6faebd1bfef264846250b2789dd9cee2a |
memory/1500-223-0x0000000000EC0000-0x000000000173D000-memory.dmp
C:\Windows\SysWOW64\dm.dll
| MD5 | c578b6820bda5689940560147c6e5ffc |
| SHA1 | 922e50d89c9c44bdc205ef17aa57212b64e58852 |
| SHA256 | 3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389 |
| SHA512 | 9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85 |
memory/1500-232-0x0000000010000000-0x0000000010176000-memory.dmp
memory/1500-237-0x0000000010000000-0x0000000010176000-memory.dmp
memory/1500-239-0x0000000003F40000-0x0000000003F4A000-memory.dmp
memory/1500-238-0x0000000003F40000-0x0000000003F4A000-memory.dmp
memory/1500-240-0x0000000010000000-0x0000000010176000-memory.dmp
memory/1500-241-0x0000000000EC0000-0x000000000173D000-memory.dmp
memory/1500-243-0x0000000003F40000-0x0000000003F4A000-memory.dmp
memory/1500-244-0x0000000003F40000-0x0000000003F4A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 02:33
Reported
2024-06-04 02:36
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\dm.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dm.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe = "10000" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_73c91787f2db475b88b8bc58394872c3_bkransomware.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qifu-api.baidubce.com | udp |
| CN | 39.156.66.4:443 | qifu-api.baidubce.com | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| CN | 110.242.68.112:443 | qifu-api.baidubce.com | tcp |
| CN | 111.206.209.154:443 | qifu-api.baidubce.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| CN | 112.34.112.38:443 | qifu-api.baidubce.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| CN | 124.237.176.106:443 | qifu-api.baidubce.com | tcp |
| CN | 182.61.62.106:443 | qifu-api.baidubce.com | tcp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.baibaoyun.com | udp |
| CN | 45.117.8.216:80 | get.baibaoyun.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\4888e582630\__.bmp
| MD5 | 46c8704a8bea749d676eb90dc5a0f815 |
| SHA1 | eb5273b38ac0201bf1224245a1a3afe2d084a7bf |
| SHA256 | c7ab145e7154c3bbcbdc93c90d5f54dd287a000728ee2acfdf3d5142177ebd3e |
| SHA512 | 25d7cb87c795f095d2772b7cc42baca256fafbdf403125b492269c906d691e1f4315a305217557dd2402b1456da6b4a2720abd53fd9abe532bd74d2d11166a64 |
C:\Users\Admin\AppData\Local\Temp\4888e582630\_.bmp
| MD5 | a3dc01997eadb6b6cd644aa94a094a4a |
| SHA1 | 596a1f64f7c36f98a804d437c0503ff95e089a13 |
| SHA256 | aa6802e771b59b1b1d79009acf36162cbc115260ad3f91031422237c98287e5d |
| SHA512 | 4f4dc13857d9e554f888c05339aefdf22565acf4cbab7ebc6d4dd0be5b0b7b66a2b174257802c9d8fd4fd3c8451b330e8b6e19faed90fdc09ed80f98598a304a |
C:\Users\Admin\AppData\Local\Temp\4888e582630\_.bmp
| MD5 | e0d3ed5e1e56fb11bfcfe6bd945c206b |
| SHA1 | 8ba212b241655110ed394be25e355c7335c56262 |
| SHA256 | f1e4ca14df25cf1d6313d38f461e9dcedebaa889ade70a7e8a404193f94c23c5 |
| SHA512 | efd658174054a9b80217135e770d830ee51eb3942d474e91bd52137ab091f1d354b4c0d48efb7eccf47bd8b5c5cd8c56e543ac68e7b9c9474ff46c23ade9aa34 |
C:\Users\Admin\AppData\Local\Temp\4888e582630\__.bmp
| MD5 | 2aae8d9a47e732d36dd4985c98aa7eaa |
| SHA1 | 13417613eb03c042863f51e0e3c438b936074fcd |
| SHA256 | bb40e6f90d70632f80eea20d1f53d92c3cd46767cf37a70bd83a397ee3c66b78 |
| SHA512 | 8ec40d3710615d05c49853bdf40c7ef3560ad26c5dbbfde7be38bd0c667f6f1d408c2e3d975549bf2190791f5d3722c01647d2e5dcfd8d83d870c43858e81010 |
C:\Users\Admin\AppData\Local\Temp\4888e582630\_.bmp
| MD5 | 98bf6ad36aedcbb35ea5544f8a98dcb7 |
| SHA1 | d25c1994126310144f70aa69110fe602f96b7af7 |
| SHA256 | cc307b058485bd3f237a3a32419d02eca4bfc93e8e8b18ffe8544d95c28d99c2 |
| SHA512 | c36a34ef51eb2867124e23790e57a4ca05983a694f7fafad8b5e3fdcb627eded7fe148390fc84032e6cf8b9c46578680e56af269d5d0bdcd0e1863070a6f3231 |
C:\Users\Admin\AppData\Local\Temp\4888e582630\__.bmp
| MD5 | c4315ec0f35457fe11bb5eaf262b1720 |
| SHA1 | 034c087abc82b2d709d6a43075856619e33b8440 |
| SHA256 | baa6bd72934642df6697479be1d96f17b8b370e631e4b8dfb0bc321fd6df46e2 |
| SHA512 | bcc945a8d00ee39a4e4634132595ebae626bda1d3fc1178a518c7e8ad05be8bc7615ea70008922cf3c3ece8692e8dbb2273be2e71eaf68bceaa6825dd9f4af01 |
C:\Users\Admin\AppData\Local\Temp\4888e582630\TLib.dll
| MD5 | 0fdc79cafb9898d0ef79db7eec184f03 |
| SHA1 | db3a53eca9ade3f473776fd473f7cbe8751c969b |
| SHA256 | 22a25e408bb431ad311a8f8ea5c205ec228652df8963701e614b08e6b327b8fd |
| SHA512 | fd76fe4021677382039c4e4b75fdc76e63cb6f2259ffbbecf477fe8f5b207c8fe8cd1cb8344f6c10b106c5ef2798b2a5ec9fe729c4524570de23e3fcdb239589 |
C:\Users\Admin\AppData\Local\Temp\4888e582630\TApi.dll
| MD5 | a03db8a3622fa9f6ff51765ca145e5ad |
| SHA1 | 9436684c2fea17c9a0b704872f79eb7257d94bb8 |
| SHA256 | fe3ba07a52618342e47087c73ee7e7bfc0ea841b8f5cb458afc1ef36ad022707 |
| SHA512 | 74dc48ccadfbe980d4a3e4c47195c63050dc90067d8048898fd48dc8fec9358c58d127e90a3f23080a4318f0e2f59bc40d9f1814c0ca2b058f223af34d33dc42 |
C:\Users\Admin\AppData\Local\Temp\4888e582630\t_baibaoyun_win32.dll
| MD5 | 430b269ba6ae3ae72b7c76848fc3dd8c |
| SHA1 | 9c1e62f6ccfd0661ccc5e8b95abff394fca4052e |
| SHA256 | 2f422a4ed4bec519c8840436cabaffe2ef4244630829ba1ebb3b806a871cb26f |
| SHA512 | 61ac557cc1169ceb0b83a2ef41d4e697efee0fcd3472d2a9bb0f04199430698c7a162be2c607bde0a6bb24ec68fcb3b6faebd1bfef264846250b2789dd9cee2a |
memory/4888-224-0x000000007719D000-0x000000007719E000-memory.dmp
C:\Windows\SysWOW64\dm.dll
| MD5 | c578b6820bda5689940560147c6e5ffc |
| SHA1 | 922e50d89c9c44bdc205ef17aa57212b64e58852 |
| SHA256 | 3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389 |
| SHA512 | 9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85 |
memory/4888-233-0x0000000010000000-0x0000000010176000-memory.dmp
memory/4888-241-0x0000000010000000-0x0000000010176000-memory.dmp
memory/4888-242-0x0000000010000000-0x0000000010176000-memory.dmp