8de915f57f21c61a3a34802d9e5fe5a2e6a75b716cc47e08319532c596861480

General

Target

2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe
Size

1.7MB
MD5

e6dc2f97380fe17f193e2036a9d39187
SHA1

cc06cf8c59e5d565253a2c013f1dbc1bf130af02
SHA256

8de915f57f21c61a3a34802d9e5fe5a2e6a75b716cc47e08319532c596861480
SHA512

22f1aa0c54503be045d1604067fae836bb1aed58b10252f2ba223858c6e9d07aaf2804a388bbc862a0652ace37ea41a1088204d1898f6307a563f691c3f24315
SSDEEP

49152:VHqhrc5tR2oD6OL/w6Myq/qdS8fJ8jNxLvtoqo0:Jqxc5tR2ePL/w6dNJ8jNJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	lmi_rescue.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	lmi_rescue.exe
2028	lmi_rescue.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	lmi_rescue.exe
2028	lmi_rescue.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2028	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	2028	lmi_rescue.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	lmi_rescue.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2028	684	2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe	90
PID 684 wrote to memory of 2028	684	2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe	90
PID 684 wrote to memory of 2028	684	2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe	90
PID 684 wrote to memory of 2028	684	2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe	90
PID 684 wrote to memory of 2028	684	2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e6dc2f97380fe17f193e2036a9d39187_bkransomware_karagany.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
  "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

Filesize
134KB

MD5
33bbdd9f4f3395b824c618089b9a132b

SHA1
3ca460d2706f8ddbbc637bbf5062a0c954551c98

SHA256
9553b28495ed3226885776a71b539364db394264e8a413a21c67e6e9b7f212de

SHA512
0dbbd8b8ce8d4d7a23aa2bdbbb632a1d0166c1b9d0813c0788ab103626af88b0e5ed7275742e32b694a5d6088e3c0ac33f491668de94bce437eacfe2b0fb733c

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\eula.txt

Filesize
1KB

MD5
81b9077540778d91e19b449ad999ff88

SHA1
285c9229a395ba722a42a11f2a686e44e5afc567

SHA256
4bfbf94aeb970362227ca47644d40f1e66f286a4a3f0193a9d0263fce210a48c

SHA512
088f8ce8d67a85e8fda478a88b26ebbb59e2cd155f89ced1055a7cb18a1fdfc3880a00a90bfe679181aab10d8aa8f2459875295a7b5c8af4749b61c5be753bf9

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

Filesize
3.8MB

MD5
a9771d8588e5c497c21451c0278447bd

SHA1
54fa2c940dcbd96747c351a75051e12d4a810393

SHA256
5fc54d5761f3648c5c53fd4ef7e471b7cf9595b6be22a8cd4025294439d28bee

SHA512
3332baafc8e5fdd07830544ea957dcf2f48829a3cb0461f10028f0d1271da9e1b7fe14b5ca5b6e459d2b66be35e015eb5a163a29bceaaccfdf641ad172c53956

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

Filesize
7KB

MD5
50ea77e909dc621790c68c9ede6cf731

SHA1
a014bd2ce5226ef11dc5fff18365208a783bcc4c

SHA256
068fbd8091d76a18c905f9d4a75834f6592cf9da43ce6bae46ca8496f0fe4d6b

SHA512
9ea4519b16627b5a2f95b104d6905e04f42a76be35f71c35934d489e5f85268b70e2934b5953038b837ec276ef286fe81d864b283a0a02593f3b02a0d529571a

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

Filesize
868B

MD5
5366661029eed55405e01a51d715b498

SHA1
5ade847e1b212f8d864a299f09fcf1999641c15c

SHA256
8acf0a49bb15ac66b7b6a2ef5d2dec3edb191b664d775a194de7c009b8abc511

SHA512
63b51c7c932f965d1fbd7347e828342c00c6b7b0ff6ccaef366b80086694f2a52045bb8899ef60416bdb5b1d049ee955c97922728596273ce6e1bf42cb7fc1e9

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

Filesize
229KB

MD5
78c3dfdbcb137884591a978fc8a466f5

SHA1
fe726e54f1a3f0b199bb4e27d704f022204b10a0

SHA256
8e8d089d68fbd88d8b6eed29462a7adb66176e5885fd31d745d1d3c4975ad5b8

SHA512
b65e19342b7d06bb621ec31d6d53bf90d972800c85745d66695ee73503b2b43bc0b9ec936fce1e8ef28124ac0d78306e80c16c4fbcad904f5e87c2c873459fc9

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

Filesize
5KB

MD5
80b9b201dcaf1fa4de07282b63711d22

SHA1
4836755d44f2105ca1b50166feecbfb6da5976bc

SHA256
259e80f1f429e8a409489a29d2f4893902a9691c73632a68e51ffe3c19cec7ef

SHA512
79954362ba69b98b627e1fdded611eb562691aa89ef9aba0379874bb2827b01e342d3492e51d4da05a6ba8a90f871a81f76630692842f2da5de1b9405a20a60b

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

Filesize
346B

MD5
ef3fa90a74c1735b92262a189349fd7e

SHA1
1deac108080d9e831409190b105e67980afe6b82

SHA256
5e83115436bc7076c8470b89b1147e80987884d8c87c49dd74861a8499f16b61

SHA512
98162aae21abced2f84d382416c5930dc5083ef83ff644860e38501ad58874337f4348ff2d6f85823f48538f20ca1f81f0fc51b81d77844a2620a1fc102d550d

Download Submit
memory/2028-35-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads