Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 09:55
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe
-
Size
13.4MB
-
MD5
9c772fdfec3835b0c3c00a027f1dfcbf
-
SHA1
c69ed96ee33a5d8a823b464e1143d297c4d9270b
-
SHA256
dd547a0e134225a5b413ebe9fb894cf47a4f2aa72f69083d900086bf7238896c
-
SHA512
4aaa22091a8970e28149c53ec26ff4470d862d5fa27d668b37db51220114ae200b29bf07fad0b91d7b041d9bed0fe7136d805892d3b4b4fd2a0e3259b630aaa7
-
SSDEEP
393216:kM0FqXmW4bmncnqXmmN9DW+bRbD54XmPH:rXfn1nziw4XmPH
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2760 join.me.exe 4844 LMIGuardianSvc.exe -
Loads dropped DLL 4 IoCs
pid Process 2760 join.me.exe 2760 join.me.exe 2760 join.me.exe 4844 LMIGuardianSvc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 join.me.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 join.me.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 join.me.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ join.me.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz join.me.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString join.me.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2760 join.me.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2760 join.me.exe 2760 join.me.exe 2760 join.me.exe 2760 join.me.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2760 join.me.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeCreateGlobalPrivilege 2760 join.me.exe Token: SeCreateGlobalPrivilege 2760 join.me.exe Token: SeCreateGlobalPrivilege 4844 LMIGuardianSvc.exe Token: SeCreateGlobalPrivilege 4844 LMIGuardianSvc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2760 join.me.exe 2760 join.me.exe 2760 join.me.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3968 wrote to memory of 2760 3968 2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe 87 PID 3968 wrote to memory of 2760 3968 2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe 87 PID 3968 wrote to memory of 2760 3968 2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe 87 PID 2760 wrote to memory of 4844 2760 join.me.exe 88 PID 2760 wrote to memory of 4844 2760 join.me.exe 88 PID 2760 wrote to memory of 4844 2760 join.me.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe"C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianSvc.exeC:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianSvc /escort 2760 /CUSTOM JoinMe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5aa7ab143962f5fbc52f10f0485c182f5
SHA186de4af44a455a2480556d87768b46b51e54dcca
SHA25629243fcbca0e35d711607b1a02cabda38f15f5fa0809a65294c9909d705f9c31
SHA5129b632a8b63241ee089b3e81d65b5b3943e7c40b533cfe57ced07cf84730f21c8904d68d7ca6153d296bcebd59fa5fee69cdd0e6ff33d09d8ca22169ce2860817
-
Filesize
402KB
MD5e5bc10fa77e71a0948b9d38632fa2ecc
SHA1709c19ab35658c556597d18ba71233cf6f6f5f35
SHA256583522d591ee99459d4094f0df29f48899da77e73e4a35082c8d331e17304fd1
SHA5126c01ae41273435a81fcf88d2e4a3ce3a3d9b1977764f01db564051f4ba9fc1601ac9682e5d7ae9be54c8c05d5d80a9e52f73957feee86e726e1ba83c7569b2ee
-
Filesize
5.0MB
MD525c45f5e347142e7616c492d52e1cf9d
SHA1b349bae558a80129154913878775a99749fb4241
SHA25699b6997d537dd677683e3edb12446d2db2bd94687c2cbd6766cfb1eefe06a405
SHA512a25a26b16272f9f3437cbd18938b0e45e73a25e615a624c81a7def6b541921c804163c25d2803fbda460e8f7fc9a6a847ffec3658d3483fd390de8f86980044d
-
Filesize
389B
MD512cbad23d957aa62e524bff967fa7d8e
SHA14443d322d2cc9ad299f07f69d5fc2e18276280f6
SHA2560792ee8d56f1501836ce892d58570e82bb03ceff68aef466f3e3c1b71955617b
SHA512c1cc9ea0aca722b81b1be946631777787a75fbe374f353cae2ebd0657f8d31dd8232fc558759c60ba5810012e47c7f7b02cac60d6081457c318d024c6ebe11e2
-
Filesize
303KB
MD58ddeb2c511abea126f9d877b11e39675
SHA1e7daf1b32f95db2ae043b8ebef2e97f2f3de2ed8
SHA2563ed491aa892526ee4092fa6c3bd7baf713dedc7a2c9a511d4e6390a146a4ab45
SHA512ad702279f4990ec07490e29fb95d194af2780fba8ff1fc1f57be4433cd69f8b61a78e62ad45256b418647d3b28825bec201dd0516500a5836e500c492cf933f2
-
Filesize
182KB
MD518ef170348f43c491b91ebaad8f0144c
SHA1f0d19881843091b230f35b6d5f9fd1b2b8a2f373
SHA256264b285d96d48ee8e99c946f73ee472d8796a039318726e2683bc9141b99b7ed
SHA51273723d42e0ec5890c1d02136370486b07296671de6ff770594896064fa2457a577e67db660e32f045d58ec3d063e293b5833d244adb00d736fb10f57307146e2
-
Filesize
31.0MB
MD57a87e7f5002f91e2e6ab0829040183be
SHA1e988076aa1ca2d6e0318d56beda36e75b9f1c05d
SHA25675c5b10e30c41bcd5f455b62e8db26b5f0da9bc15d8453769ff096f6d9f7fe14
SHA51273f9c480c8adb40450e4fbe38b2350c277392b3721164a7d7228594a8bb670f1e818f938f20fd8c7e3f6a4ece4bc28f50d1391edea719a6874ea74a01c80288c