Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 15:59

General

  • Target

    2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe

  • Size

    1.7MB

  • MD5

    604d2b5e5d16c8264de15ffee5fb2018

  • SHA1

    9099bf085872b34d99729eb9ce8c4684afb7988c

  • SHA256

    24f8b40b7119b9fd58a67a3c8d1ae5594235424f45e0022072112c241cdd0478

  • SHA512

    ab807df332bd8c1ccfd38258364d486586b0985d94c89d53edf9288e655d9bf6c908240147be1c208c6773c1bb47490385502f9bef5729458365383e741f11f5

  • SSDEEP

    24576:uyZEGubJg8R8AvZulu/U4B6xidIKkrZp4cy0vQzk+dsrERW1uUOVu0/UdSqdtPdE:REpVg3AIlAw4IpdE7srVXHd5dtP4U01

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies boot configuration data using bcdedit 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
      "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4536
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x49c 0x2f4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4856
  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
    "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid f46df5eb-8fea-4bd4-9b36-ff041179e0a5
    1⤵
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\system32\bcdedit.exe
      C:\Windows\system32\bcdedit.exe /deletevalue safeboot
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:4480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe.manifest

    Filesize

    1KB

    MD5

    05685202d29943a5be58ee16b08baf46

    SHA1

    c64937267cb2b096fe1304a0ce6f22b473a59df7

    SHA256

    60e9bec55a6782caeb9f4a0454bdc61f3988cbe99faf31d053771e72556d5573

    SHA512

    c984d4de4b4def02301b198d8d29ccc66342c7dfe27d6ea4ceb968f57ccacc2abed236945a224ffecdf222b72d12aeca6f9c93d7413f8ba24c7da9d7930f1744

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

    Filesize

    134KB

    MD5

    7cf6bf74754b4de39943fed761fb837e

    SHA1

    724593f1c75943274adfa0564192ec2004367aa0

    SHA256

    4cda059840b0552fa78121576246a3745785ebc845def31253d5af0de98b77a7

    SHA512

    e3dd723100c5b298fe9605f33be4dc7c22118af6704e10de28d7e774539e3bc4e49907fdcbe84b5e21e3f93d7fbd5c8c79fe536fad8070a8b26c72625fee7599

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

    Filesize

    257B

    MD5

    d0fce2640fe6270eb83c06e77c334ba1

    SHA1

    1b4d04e05064bb15006ad2a174b37938ed6e1905

    SHA256

    2e070fe38b8408bf49cf12f26778320c487024594cf799f243add5b1f3b9f788

    SHA512

    9d9f6a93280d0aaa8740b7d12e3c1042dfac92a2fda6b477d50c532f4e4d456be79b34dd09bb0ebec4a07c141bf71e0237a98ba846e1567146b5ebd9971b603f

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

    Filesize

    369B

    MD5

    e8c0a91983a0cf42eab45d6d1632608e

    SHA1

    105fd865c61bce1cef745a68fccc9a2d78949f46

    SHA256

    12609b5ff96c2bdebca6c3fe168e12254bd4598ad3fea414ce9c8d839576501d

    SHA512

    a8e4274cbe80ac67e209b7b9aea8cc2bd0e85a420429240dd8b7489f662bd41919b390af9d07c6832986ccc1c8a2eb9da517cce151ed91b2685208fcba765f15

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

    Filesize

    161B

    MD5

    331066b059e7e0aff65d6e902780d1cd

    SHA1

    c2c493997186490cf5ba313aefe02cde9cc61052

    SHA256

    801e687f064c6886b4f68bd64545aea9d8eef6a8c343da59da0cc82dfea2ef24

    SHA512

    b71924db38fc3968ea8fad60399921eff3d0407b4ce2e116d3655581b197efd6cb7538afbae3da9073b2ffab7182f927dae93b10f5ca083a2a988b3560909a5c

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

    Filesize

    3.8MB

    MD5

    ce231f194297fa2b56cda3258ec94686

    SHA1

    b4498461c0f7a8622ce159d578d903df56cb68ae

    SHA256

    fd1e496e73ad49ad618bd2b15a9fcb580944f00ecec79b096089700048cf0251

    SHA512

    a5b3b60219c0b0b1702b945784c28831e19c08221e22d0bc06741e969cfa76218e05b055a7783b717004a1b4b7d06fb9743497ed3f1704bca4b026d7e7bf0786

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

    Filesize

    7KB

    MD5

    8fd0bc19eae92f5325a5d48af37fa6e9

    SHA1

    43786e29ca62ea11ca97ab1999238c192566ac8a

    SHA256

    a174e3ed004811218ca55eaaa2f5121a59c094e1085183cd32665c90c54b7b73

    SHA512

    3bb3548f6ae674393e8f5e0b95a1914878cca139a37cbf39ec8d3bdf6e85b868ada44356e798b7225bc421c72fed6821b6ffc3dd4cd32efc1e393e34169d580d

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

    Filesize

    511B

    MD5

    4392f8ece3f263a51e18b0038cff0279

    SHA1

    db75a03fa7afdf2cedd3b3773a192cc7fe86b29d

    SHA256

    98b296443821140bd8d9ff1f5f59d16794d1307497f0136aa2b52399216043bf

    SHA512

    db59cffcf0fcd19161acec123b29aa9eab80b145bc4ea3a36a24142675d1a3b285ed00067b95490faa4908e9307b4947aae9b4d33b64e464b442edec7cb508b1

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

    Filesize

    636B

    MD5

    9432fbcfb62b75f8120498071e9c5deb

    SHA1

    9a35664e5ff0646616ddb924f2bc1d87188e98c1

    SHA256

    d741641c0d4f71f905f8edff86d60cfca62efd8190d64d29edbaba816ebfce2e

    SHA512

    d80af7674d56c2fe6f9dd7ea7f870111c3b484efe8700b9777f98d84a4592fb54852e0e8e5d8deaf043956ecd8ec4f8575f3dddc8f42c0045eb848870b059fa6

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe

    Filesize

    174KB

    MD5

    3f62d06452bc7e40dafc6f5cb7a78bd4

    SHA1

    0200785066d8e1ebeaabf6e7dfa59dd5dc8bf908

    SHA256

    f3b61319e6892c7754e34f630edbe13878e7cbc89dd32c8dc2efffb81ee3f1e9

    SHA512

    e35c0cf1e2f78e3e7f2e7f5385ea33716b55154011425017df34a9d474e70cfe7b898205a93b6d7ae648a3852c0fb3a35f99e0fb45a89495646289bd18e485f8

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

    Filesize

    230KB

    MD5

    b56450e3b8209039b134827f8a668c7d

    SHA1

    26f77251e504530addbc4032c3646724d04d0399

    SHA256

    5a17eaf2a7e1afe2da9e6bcf665fe10e787af87147234e7ae901f1b55d65222c

    SHA512

    b0d728368f923444e3360188ae899674c9dd2df044829d9706a38fba0e823f87151dbd4763432299248ce69ab9a8aa43843587b00e981cf18170876320cb7d26

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

    Filesize

    1KB

    MD5

    3d79fa32f03540637418f85d19c3ed60

    SHA1

    ffcb069a0077a840e8a96ee26f0256b0d44426cc

    SHA256

    6b1a8b887177584b63aeb70c7f6c27eb14dfb0de8a2a9b67996281b1401af9d6

    SHA512

    545e50bcd539547a90787fda35021e4e5de5d7f59130f35ee8cbe6b3ce67359dd8a307482630382757ddaa31cec53b73b899bbd77312cbae77d6a51dfb86677d

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.info

    Filesize

    248B

    MD5

    ceb7c79f6cf6bfdfbc4ffc0975e7c3c0

    SHA1

    a0bc2c850b87548913edd37ef1687939ab007a6c

    SHA256

    f214c4c5be30a2a5273fd42fd1d7a934a61ec4521b7477ad55c93829501131b4

    SHA512

    fd3b8cb830edf8c073c1fc03038d46d109be53f20abe2b922c6aea8d0d97f8e5b9d042604d68c608779274b268a4a691f4b5bec4e087d089af7b89c1410086f4

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    6KB

    MD5

    568eb6d3a7d30d50c87621c49d66a924

    SHA1

    fd5470eab82a2218b7022d2bfa1b604391d8e064

    SHA256

    46c4b223d0638e9f0abb9edf233778f5b8efa6c2a273293d582b7ed9d2312550

    SHA512

    02f670a95dbee8a4c69510de2a840540e8b784f2afbad71bfae20ce3b87d406de4860cb13f12043e1cea22543babf0f26ee3fe71f47a0e1e35349be444684778

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    6KB

    MD5

    19613b95043ddf9abeb19a35f663b8f3

    SHA1

    d84e5c3e6406473df36070c0efe1661713c497d1

    SHA256

    f2437c89440b92e7943ed8d5f9765c6828fc2828c7049b2263ccfd81dc7d5e12

    SHA512

    8b88a1c622df2c817a0b7e03e88d5b93ff16fe380e7fd024224786e312184f9c0e7488e071bcff3262d163cba370603cec55689715d5ee8e36eb32c695df3dae

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    11KB

    MD5

    ae7ea3942f10e28300d4e947aa17980c

    SHA1

    20a73991e858213c63d7a0fe82a6d23ee773e109

    SHA256

    e6b7db7e7639b6997706d484adbd0fe4eabd3376f3dc4e3a8d200d1e13a3c08a

    SHA512

    95514a2203db50d2d89992e4a824a88652281acf0f4014c6baaaa452900ca8f4c4d5165c8f4d9ffb70eb1f03b5460bddd5d7c283bd30d6ac34214a98d829967f

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    11KB

    MD5

    d758d06b22437a9776e10801d29c1fe4

    SHA1

    8159aa2899c58627be0a4c4848119f075cbb9017

    SHA256

    73a378b5e54e4a1dc14a4234664da61a17d65cdaf91ca664f871b7eab1f13f45

    SHA512

    5aa4301d681a0e8e50709c93ff7ebab41e712fc85272e314d565580cd01c75fd60c787a480ee87f2af43551369eda4e09a70556c7261232868cfd73ff87009e7

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    12KB

    MD5

    1d7efce65caffc332417e5e2006aeac4

    SHA1

    275eb73f684998984b38cd267a0b2684c3cc3f87

    SHA256

    f3b5b55d538155092ccdf4a2a733c32ab6a3fc67835f4b8e8744ad379e3a41d0

    SHA512

    715038bf3e51b29185400188a44d8ee3137078c73d1120dbaf1348742db1cfc91b144acb9fb40f015f12412559ddaa757a5f47fc4e7aa53434e31e562727b83d

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    13KB

    MD5

    9706ed06b9c8591d9f634f1b93fffd54

    SHA1

    6ce466f0341db6387118cc1b3c3d44104098a709

    SHA256

    1aaeaa1e8d4aed3fed20fd67baf981cf32271c4254d05123159e61a763a82a92

    SHA512

    535f1eb4390ff38ae0fb18902c46e9074953068c2772ce9a349ee7919bff385b81cedab3f7f5cd6905e092c4c75d520565e30611be565d137e9a8298b9fb3ab8

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    14KB

    MD5

    8d0845f0b1303816a976a13b1a717c29

    SHA1

    ab26736225cb752c513ea5631f9deafda0a499a9

    SHA256

    e5dfc093aaf1bc9be90d5f6d1a5f556f96d6972395709d6b9688caf0c6323697

    SHA512

    8d94c0d3586e7a146d345e7f18585c47b2023f599c544c0c1c05d865739fe73f9949f2cabd05739d92050b3aabdf561de1e95a773342145164f16ec3410e5961

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    15KB

    MD5

    d1cce67151a33c7a66a7567c3f9ce6ba

    SHA1

    5d12f727753cf06d315c14d5e328e4eaa715e5df

    SHA256

    555b29b04a1a90de5879b7122a3402479875cc07c256d9c4af10461651a9fde4

    SHA512

    ac5a7eaf46abd317776c4f5f4809178002df2abf6248077c3b080eac6bcba5c6e58c3a23c0cfe30a4bfe9ac48695f38f779033e496422dd7581734b17a163d49

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    17KB

    MD5

    baf2e6a76d5dd2c3657fb089e8e5ef01

    SHA1

    f96cec837bfb76f93fdda609b1d0ec9eca823e13

    SHA256

    e0e200b532e2050f4b66c835d944a2e1ccdaa28886715ba924255a3cad5a70b2

    SHA512

    af431033878dac7a2178b32ecad2c39f45bf8b9dedc297e83c1f59c9675a593678f987ed2b0916399afbcd86a3d0cb33dd6c11501697ee275a0aa040a20813d9

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    17KB

    MD5

    ad43b68919015f174ac229cf0f193d65

    SHA1

    fa63ce9ea2423e22eb9d81e462e499d182d151c8

    SHA256

    e84106f446897a0309369c16b99e395b56803067465fc7e203b369816944bd47

    SHA512

    af12d229b24ad5572779da255948191be6de5f466d48d54ae8722c007e958c0a4e9941f8d82ab501b0d0337a7f9d4829c7c9dbb281e04bf0960664bb4955816d

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    17KB

    MD5

    29cccabf1426585a5aa5a02ec3b8b81a

    SHA1

    5b9f21bfa20eba69bfde806376eef432c7c2c5ef

    SHA256

    532e2abac98b2c9f1ae6f4e44cdf0c6e2f03c8b031d5981c91aa9e920a27490d

    SHA512

    828b19daf7f9c2214d049532a779b42b94727e950875ce88dc8f59dc1f61f9def58ff82b7147190209b99945192307f74d7281cf949038550f5d83b7dc47b142

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    17KB

    MD5

    1cc6f2241ffdc5d52f4e6a90311d297e

    SHA1

    148606939e4d2c1cc499e1871f568a91565e5921

    SHA256

    2fc0ee34b0cafc8a6faef2a6d24a541f8cdadb9b309907b63ed95a204fc4b9f0

    SHA512

    ec955b89c98d436fcc263053dba31c758794c170a68edc5d479bfe9def0522c118d7a13a3f1c7ebebdf871d99dbd137951dd302dc556ec7cbd98caf9730ed84f

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    4KB

    MD5

    533527c20a4160f159332733b4d24253

    SHA1

    c3d0af422c922c833d9b2785e83cc1e7aab198a0

    SHA256

    a694e6180d9d71b8befd0488904252214cbb115a4805f139efaa2297bbbf8ad6

    SHA512

    fda7cd8440f2033b1716eb8841af7ab5b066eabe0393180aa6e4c75bac4d2edecdb88c84bd6072f01ea3b031ab1d6c365c97e089396b9b4e23e4c02253ec0c59

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    6KB

    MD5

    a5599952b3f52db7c42f4e134922de99

    SHA1

    479ca215bb4406e93812744262c305939c9c0a04

    SHA256

    bd6c1d7d9e3049cfae699edde3edbacad7aaff26b13badf88423862829392f99

    SHA512

    31adb7d184009e5af4c2529e85b527a6d9348597058a192a3854a0e12c29ace5a321e92f99549f8ae651562f39d37a521138911ed93c11242c2c8e678d71f3e0

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

    Filesize

    828B

    MD5

    b89842601fafadaaf3a5a30db64843e6

    SHA1

    ae543de22241617099086914a30667154b342f05

    SHA256

    f40ebefb36ab7884e2811d43838fee7f088181b15f5e7b9a89f34760e5ccc47f

    SHA512

    88445eeab4563d795d1c604d9eae155ce1ecdd3e2b863aaf8bac0cc569e99a3daa625eb4884927337ee92511b95b84a421d8a8ba859e5e2f19f477beddd81efb

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

    Filesize

    936B

    MD5

    cc5165b940d03b193a6e6ef7e817c38b

    SHA1

    fbfee80ffca9e707121813dd29030422e279c6d7

    SHA256

    c33b0d4baaf52f6caa4e400f4c42464c566eda63b3e03596ae4443f41ae62704

    SHA512

    51db53ca6d70ee6f582453d9a4eae9ad12708f62caa9421c5098b40704847d2c81960b76ed7bed8a9109f2edc36f23ad8c0191e2a8ad99a604c0832bfe2c42e5

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

    Filesize

    346B

    MD5

    476109c1fe3046b1ae75343bb84b480f

    SHA1

    8d4c5d6a7eb771743fa8a216e1216941b1137cd7

    SHA256

    93682cbe21180e4381330e4766ffe6675fe8a469c28d61a05cebb98597e37ef0

    SHA512

    e1fb36d6265f75145789aea37c0f94ce4c5a25d1e385f4eab5215d420ce56a53edbcd63390bd39a67d8e03e3567688a012d5eabe218f42f44a91fb41e53d8d8c

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

    Filesize

    689B

    MD5

    a9a5d127fc8edf828b7593b693ad7f2f

    SHA1

    9534a9e03983f377cfd31684858c32801606d6dc

    SHA256

    eb41906575c4d080024619b8948de7dc865e180645966cc6eba85891d8d2abaf

    SHA512

    7923e930b15a42335234a4ba7501f97b0aca081a6a8054e9aa2405f1c857023be07a684b6539825781f7e22045bea700b603c38104b7815de9915c9cfefd7783

  • memory/4536-34-0x00000000039C0000-0x00000000039C1000-memory.dmp

    Filesize

    4KB

  • memory/4536-187-0x00000000039C0000-0x00000000039C1000-memory.dmp

    Filesize

    4KB