Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 15:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe
-
Size
1.7MB
-
MD5
604d2b5e5d16c8264de15ffee5fb2018
-
SHA1
9099bf085872b34d99729eb9ce8c4684afb7988c
-
SHA256
24f8b40b7119b9fd58a67a3c8d1ae5594235424f45e0022072112c241cdd0478
-
SHA512
ab807df332bd8c1ccfd38258364d486586b0985d94c89d53edf9288e655d9bf6c908240147be1c208c6773c1bb47490385502f9bef5729458365383e741f11f5
-
SSDEEP
24576:uyZEGubJg8R8AvZulu/U4B6xidIKkrZp4cy0vQzk+dsrERW1uUOVu0/UdSqdtPdE:REpVg3AIlAw4IpdE7srVXHd5dtP4U01
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
lmi_rescue.exeLMI_Rescue_srv.exepid process 4536 lmi_rescue.exe 2736 LMI_Rescue_srv.exe -
Loads dropped DLL 2 IoCs
Processes:
lmi_rescue.exepid process 4536 lmi_rescue.exe 4536 lmi_rescue.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lmi_rescue.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_464376102 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" lmi_rescue.exe -
Processes:
lmi_rescue.exeLMI_Rescue_srv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lmi_rescue.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LMI_Rescue_srv.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
lmi_rescue.exedescription ioc process File opened for modification \??\PhysicalDrive0 lmi_rescue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 4480 bcdedit.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
LMI_Rescue_srv.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates LMI_Rescue_srv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs LMI_Rescue_srv.exe -
Modifies registry class 64 IoCs
Processes:
LMI_Rescue_srv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_f46df5eb-8fea-4bd4-9b36-ff041179e0a5" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User" LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32 LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0 LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0" LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0 LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4} LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56} LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32 LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4} LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0" LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32 LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_f46df5eb-8fea-4bd4-9b36-ff041179e0a5" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\LMI_Rescue.exe" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56} LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 LMI_Rescue_srv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LMI_Rescue_srv.exe" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp" LMI_Rescue_srv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI" LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0 LMI_Rescue_srv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} LMI_Rescue_srv.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
lmi_rescue.exeLMI_Rescue_srv.exepid process 4536 lmi_rescue.exe 4536 lmi_rescue.exe 2736 LMI_Rescue_srv.exe 2736 LMI_Rescue_srv.exe 2736 LMI_Rescue_srv.exe 2736 LMI_Rescue_srv.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
lmi_rescue.exeAUDIODG.EXELMI_Rescue_srv.exedescription pid process Token: SeCreateGlobalPrivilege 4536 lmi_rescue.exe Token: SeCreateGlobalPrivilege 4536 lmi_rescue.exe Token: 33 4856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4856 AUDIODG.EXE Token: SeCreateGlobalPrivilege 2736 LMI_Rescue_srv.exe Token: SeCreateGlobalPrivilege 2736 LMI_Rescue_srv.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
lmi_rescue.exepid process 4536 lmi_rescue.exe 4536 lmi_rescue.exe 4536 lmi_rescue.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exeLMI_Rescue_srv.exedescription pid process target process PID 3924 wrote to memory of 4536 3924 2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe lmi_rescue.exe PID 3924 wrote to memory of 4536 3924 2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe lmi_rescue.exe PID 3924 wrote to memory of 4536 3924 2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe lmi_rescue.exe PID 3924 wrote to memory of 4536 3924 2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe lmi_rescue.exe PID 3924 wrote to memory of 4536 3924 2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe lmi_rescue.exe PID 2736 wrote to memory of 4480 2736 LMI_Rescue_srv.exe bcdedit.exe PID 2736 wrote to memory of 4480 2736 LMI_Rescue_srv.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4536
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid f46df5eb-8fea-4bd4-9b36-ff041179e0a51⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /deletevalue safeboot2⤵
- Modifies boot configuration data using bcdedit
PID:4480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD505685202d29943a5be58ee16b08baf46
SHA1c64937267cb2b096fe1304a0ce6f22b473a59df7
SHA25660e9bec55a6782caeb9f4a0454bdc61f3988cbe99faf31d053771e72556d5573
SHA512c984d4de4b4def02301b198d8d29ccc66342c7dfe27d6ea4ceb968f57ccacc2abed236945a224ffecdf222b72d12aeca6f9c93d7413f8ba24c7da9d7930f1744
-
Filesize
134KB
MD57cf6bf74754b4de39943fed761fb837e
SHA1724593f1c75943274adfa0564192ec2004367aa0
SHA2564cda059840b0552fa78121576246a3745785ebc845def31253d5af0de98b77a7
SHA512e3dd723100c5b298fe9605f33be4dc7c22118af6704e10de28d7e774539e3bc4e49907fdcbe84b5e21e3f93d7fbd5c8c79fe536fad8070a8b26c72625fee7599
-
Filesize
257B
MD5d0fce2640fe6270eb83c06e77c334ba1
SHA11b4d04e05064bb15006ad2a174b37938ed6e1905
SHA2562e070fe38b8408bf49cf12f26778320c487024594cf799f243add5b1f3b9f788
SHA5129d9f6a93280d0aaa8740b7d12e3c1042dfac92a2fda6b477d50c532f4e4d456be79b34dd09bb0ebec4a07c141bf71e0237a98ba846e1567146b5ebd9971b603f
-
Filesize
369B
MD5e8c0a91983a0cf42eab45d6d1632608e
SHA1105fd865c61bce1cef745a68fccc9a2d78949f46
SHA25612609b5ff96c2bdebca6c3fe168e12254bd4598ad3fea414ce9c8d839576501d
SHA512a8e4274cbe80ac67e209b7b9aea8cc2bd0e85a420429240dd8b7489f662bd41919b390af9d07c6832986ccc1c8a2eb9da517cce151ed91b2685208fcba765f15
-
Filesize
161B
MD5331066b059e7e0aff65d6e902780d1cd
SHA1c2c493997186490cf5ba313aefe02cde9cc61052
SHA256801e687f064c6886b4f68bd64545aea9d8eef6a8c343da59da0cc82dfea2ef24
SHA512b71924db38fc3968ea8fad60399921eff3d0407b4ce2e116d3655581b197efd6cb7538afbae3da9073b2ffab7182f927dae93b10f5ca083a2a988b3560909a5c
-
Filesize
3.8MB
MD5ce231f194297fa2b56cda3258ec94686
SHA1b4498461c0f7a8622ce159d578d903df56cb68ae
SHA256fd1e496e73ad49ad618bd2b15a9fcb580944f00ecec79b096089700048cf0251
SHA512a5b3b60219c0b0b1702b945784c28831e19c08221e22d0bc06741e969cfa76218e05b055a7783b717004a1b4b7d06fb9743497ed3f1704bca4b026d7e7bf0786
-
Filesize
7KB
MD58fd0bc19eae92f5325a5d48af37fa6e9
SHA143786e29ca62ea11ca97ab1999238c192566ac8a
SHA256a174e3ed004811218ca55eaaa2f5121a59c094e1085183cd32665c90c54b7b73
SHA5123bb3548f6ae674393e8f5e0b95a1914878cca139a37cbf39ec8d3bdf6e85b868ada44356e798b7225bc421c72fed6821b6ffc3dd4cd32efc1e393e34169d580d
-
Filesize
511B
MD54392f8ece3f263a51e18b0038cff0279
SHA1db75a03fa7afdf2cedd3b3773a192cc7fe86b29d
SHA25698b296443821140bd8d9ff1f5f59d16794d1307497f0136aa2b52399216043bf
SHA512db59cffcf0fcd19161acec123b29aa9eab80b145bc4ea3a36a24142675d1a3b285ed00067b95490faa4908e9307b4947aae9b4d33b64e464b442edec7cb508b1
-
Filesize
636B
MD59432fbcfb62b75f8120498071e9c5deb
SHA19a35664e5ff0646616ddb924f2bc1d87188e98c1
SHA256d741641c0d4f71f905f8edff86d60cfca62efd8190d64d29edbaba816ebfce2e
SHA512d80af7674d56c2fe6f9dd7ea7f870111c3b484efe8700b9777f98d84a4592fb54852e0e8e5d8deaf043956ecd8ec4f8575f3dddc8f42c0045eb848870b059fa6
-
Filesize
174KB
MD53f62d06452bc7e40dafc6f5cb7a78bd4
SHA10200785066d8e1ebeaabf6e7dfa59dd5dc8bf908
SHA256f3b61319e6892c7754e34f630edbe13878e7cbc89dd32c8dc2efffb81ee3f1e9
SHA512e35c0cf1e2f78e3e7f2e7f5385ea33716b55154011425017df34a9d474e70cfe7b898205a93b6d7ae648a3852c0fb3a35f99e0fb45a89495646289bd18e485f8
-
Filesize
230KB
MD5b56450e3b8209039b134827f8a668c7d
SHA126f77251e504530addbc4032c3646724d04d0399
SHA2565a17eaf2a7e1afe2da9e6bcf665fe10e787af87147234e7ae901f1b55d65222c
SHA512b0d728368f923444e3360188ae899674c9dd2df044829d9706a38fba0e823f87151dbd4763432299248ce69ab9a8aa43843587b00e981cf18170876320cb7d26
-
Filesize
1KB
MD53d79fa32f03540637418f85d19c3ed60
SHA1ffcb069a0077a840e8a96ee26f0256b0d44426cc
SHA2566b1a8b887177584b63aeb70c7f6c27eb14dfb0de8a2a9b67996281b1401af9d6
SHA512545e50bcd539547a90787fda35021e4e5de5d7f59130f35ee8cbe6b3ce67359dd8a307482630382757ddaa31cec53b73b899bbd77312cbae77d6a51dfb86677d
-
Filesize
248B
MD5ceb7c79f6cf6bfdfbc4ffc0975e7c3c0
SHA1a0bc2c850b87548913edd37ef1687939ab007a6c
SHA256f214c4c5be30a2a5273fd42fd1d7a934a61ec4521b7477ad55c93829501131b4
SHA512fd3b8cb830edf8c073c1fc03038d46d109be53f20abe2b922c6aea8d0d97f8e5b9d042604d68c608779274b268a4a691f4b5bec4e087d089af7b89c1410086f4
-
Filesize
6KB
MD5568eb6d3a7d30d50c87621c49d66a924
SHA1fd5470eab82a2218b7022d2bfa1b604391d8e064
SHA25646c4b223d0638e9f0abb9edf233778f5b8efa6c2a273293d582b7ed9d2312550
SHA51202f670a95dbee8a4c69510de2a840540e8b784f2afbad71bfae20ce3b87d406de4860cb13f12043e1cea22543babf0f26ee3fe71f47a0e1e35349be444684778
-
Filesize
6KB
MD519613b95043ddf9abeb19a35f663b8f3
SHA1d84e5c3e6406473df36070c0efe1661713c497d1
SHA256f2437c89440b92e7943ed8d5f9765c6828fc2828c7049b2263ccfd81dc7d5e12
SHA5128b88a1c622df2c817a0b7e03e88d5b93ff16fe380e7fd024224786e312184f9c0e7488e071bcff3262d163cba370603cec55689715d5ee8e36eb32c695df3dae
-
Filesize
11KB
MD5ae7ea3942f10e28300d4e947aa17980c
SHA120a73991e858213c63d7a0fe82a6d23ee773e109
SHA256e6b7db7e7639b6997706d484adbd0fe4eabd3376f3dc4e3a8d200d1e13a3c08a
SHA51295514a2203db50d2d89992e4a824a88652281acf0f4014c6baaaa452900ca8f4c4d5165c8f4d9ffb70eb1f03b5460bddd5d7c283bd30d6ac34214a98d829967f
-
Filesize
11KB
MD5d758d06b22437a9776e10801d29c1fe4
SHA18159aa2899c58627be0a4c4848119f075cbb9017
SHA25673a378b5e54e4a1dc14a4234664da61a17d65cdaf91ca664f871b7eab1f13f45
SHA5125aa4301d681a0e8e50709c93ff7ebab41e712fc85272e314d565580cd01c75fd60c787a480ee87f2af43551369eda4e09a70556c7261232868cfd73ff87009e7
-
Filesize
12KB
MD51d7efce65caffc332417e5e2006aeac4
SHA1275eb73f684998984b38cd267a0b2684c3cc3f87
SHA256f3b5b55d538155092ccdf4a2a733c32ab6a3fc67835f4b8e8744ad379e3a41d0
SHA512715038bf3e51b29185400188a44d8ee3137078c73d1120dbaf1348742db1cfc91b144acb9fb40f015f12412559ddaa757a5f47fc4e7aa53434e31e562727b83d
-
Filesize
13KB
MD59706ed06b9c8591d9f634f1b93fffd54
SHA16ce466f0341db6387118cc1b3c3d44104098a709
SHA2561aaeaa1e8d4aed3fed20fd67baf981cf32271c4254d05123159e61a763a82a92
SHA512535f1eb4390ff38ae0fb18902c46e9074953068c2772ce9a349ee7919bff385b81cedab3f7f5cd6905e092c4c75d520565e30611be565d137e9a8298b9fb3ab8
-
Filesize
14KB
MD58d0845f0b1303816a976a13b1a717c29
SHA1ab26736225cb752c513ea5631f9deafda0a499a9
SHA256e5dfc093aaf1bc9be90d5f6d1a5f556f96d6972395709d6b9688caf0c6323697
SHA5128d94c0d3586e7a146d345e7f18585c47b2023f599c544c0c1c05d865739fe73f9949f2cabd05739d92050b3aabdf561de1e95a773342145164f16ec3410e5961
-
Filesize
15KB
MD5d1cce67151a33c7a66a7567c3f9ce6ba
SHA15d12f727753cf06d315c14d5e328e4eaa715e5df
SHA256555b29b04a1a90de5879b7122a3402479875cc07c256d9c4af10461651a9fde4
SHA512ac5a7eaf46abd317776c4f5f4809178002df2abf6248077c3b080eac6bcba5c6e58c3a23c0cfe30a4bfe9ac48695f38f779033e496422dd7581734b17a163d49
-
Filesize
17KB
MD5baf2e6a76d5dd2c3657fb089e8e5ef01
SHA1f96cec837bfb76f93fdda609b1d0ec9eca823e13
SHA256e0e200b532e2050f4b66c835d944a2e1ccdaa28886715ba924255a3cad5a70b2
SHA512af431033878dac7a2178b32ecad2c39f45bf8b9dedc297e83c1f59c9675a593678f987ed2b0916399afbcd86a3d0cb33dd6c11501697ee275a0aa040a20813d9
-
Filesize
17KB
MD5ad43b68919015f174ac229cf0f193d65
SHA1fa63ce9ea2423e22eb9d81e462e499d182d151c8
SHA256e84106f446897a0309369c16b99e395b56803067465fc7e203b369816944bd47
SHA512af12d229b24ad5572779da255948191be6de5f466d48d54ae8722c007e958c0a4e9941f8d82ab501b0d0337a7f9d4829c7c9dbb281e04bf0960664bb4955816d
-
Filesize
17KB
MD529cccabf1426585a5aa5a02ec3b8b81a
SHA15b9f21bfa20eba69bfde806376eef432c7c2c5ef
SHA256532e2abac98b2c9f1ae6f4e44cdf0c6e2f03c8b031d5981c91aa9e920a27490d
SHA512828b19daf7f9c2214d049532a779b42b94727e950875ce88dc8f59dc1f61f9def58ff82b7147190209b99945192307f74d7281cf949038550f5d83b7dc47b142
-
Filesize
17KB
MD51cc6f2241ffdc5d52f4e6a90311d297e
SHA1148606939e4d2c1cc499e1871f568a91565e5921
SHA2562fc0ee34b0cafc8a6faef2a6d24a541f8cdadb9b309907b63ed95a204fc4b9f0
SHA512ec955b89c98d436fcc263053dba31c758794c170a68edc5d479bfe9def0522c118d7a13a3f1c7ebebdf871d99dbd137951dd302dc556ec7cbd98caf9730ed84f
-
Filesize
4KB
MD5533527c20a4160f159332733b4d24253
SHA1c3d0af422c922c833d9b2785e83cc1e7aab198a0
SHA256a694e6180d9d71b8befd0488904252214cbb115a4805f139efaa2297bbbf8ad6
SHA512fda7cd8440f2033b1716eb8841af7ab5b066eabe0393180aa6e4c75bac4d2edecdb88c84bd6072f01ea3b031ab1d6c365c97e089396b9b4e23e4c02253ec0c59
-
Filesize
6KB
MD5a5599952b3f52db7c42f4e134922de99
SHA1479ca215bb4406e93812744262c305939c9c0a04
SHA256bd6c1d7d9e3049cfae699edde3edbacad7aaff26b13badf88423862829392f99
SHA51231adb7d184009e5af4c2529e85b527a6d9348597058a192a3854a0e12c29ace5a321e92f99549f8ae651562f39d37a521138911ed93c11242c2c8e678d71f3e0
-
Filesize
828B
MD5b89842601fafadaaf3a5a30db64843e6
SHA1ae543de22241617099086914a30667154b342f05
SHA256f40ebefb36ab7884e2811d43838fee7f088181b15f5e7b9a89f34760e5ccc47f
SHA51288445eeab4563d795d1c604d9eae155ce1ecdd3e2b863aaf8bac0cc569e99a3daa625eb4884927337ee92511b95b84a421d8a8ba859e5e2f19f477beddd81efb
-
Filesize
936B
MD5cc5165b940d03b193a6e6ef7e817c38b
SHA1fbfee80ffca9e707121813dd29030422e279c6d7
SHA256c33b0d4baaf52f6caa4e400f4c42464c566eda63b3e03596ae4443f41ae62704
SHA51251db53ca6d70ee6f582453d9a4eae9ad12708f62caa9421c5098b40704847d2c81960b76ed7bed8a9109f2edc36f23ad8c0191e2a8ad99a604c0832bfe2c42e5
-
Filesize
346B
MD5476109c1fe3046b1ae75343bb84b480f
SHA18d4c5d6a7eb771743fa8a216e1216941b1137cd7
SHA25693682cbe21180e4381330e4766ffe6675fe8a469c28d61a05cebb98597e37ef0
SHA512e1fb36d6265f75145789aea37c0f94ce4c5a25d1e385f4eab5215d420ce56a53edbcd63390bd39a67d8e03e3567688a012d5eabe218f42f44a91fb41e53d8d8c
-
Filesize
689B
MD5a9a5d127fc8edf828b7593b693ad7f2f
SHA19534a9e03983f377cfd31684858c32801606d6dc
SHA256eb41906575c4d080024619b8948de7dc865e180645966cc6eba85891d8d2abaf
SHA5127923e930b15a42335234a4ba7501f97b0aca081a6a8054e9aa2405f1c857023be07a684b6539825781f7e22045bea700b603c38104b7815de9915c9cfefd7783