Malware Analysis Report

2024-09-23 13:19

Sample ID 240612-1xqhwswcjm
Target 2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany
SHA256 ac76e67800396fa29f380ce6e79bf1a312d46f51324fae1d0e5e6be12b84e6d9
Tags
bootkit evasion persistence trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ac76e67800396fa29f380ce6e79bf1a312d46f51324fae1d0e5e6be12b84e6d9

Threat Level: Shows suspicious behavior

The file 2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit evasion persistence trojan

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 22:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 22:01

Reported

2024-06-12 22:04

Platform

win7-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_265426359 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp

Files

\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 735ef1b70fad1fba9793abd27a803803
SHA1 0e082f539a1e9fc9fca3141613e813fc2e113779
SHA256 6881582e0dc0dcdcb9009b6cce6a0ba369d2372a7405dcbad6ce8d9425fcb68b
SHA512 4edeebc090af8feba67d04ddb44ad84f36dcc3a2918f3166ade99ab04422ccb0a4f4785ff95f7f7fe4319766f73128907a373b2a2c018eb5771a519936b6165e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 5632fd18f63daecf89bb97fd9ce16498
SHA1 ae71cc4fa464f95a1f3b9aec35bc3efcef050c09
SHA256 6931b1d510a5ce817b68fa479622b40458986c99202c85051655df6a1fa824ed
SHA512 f18faef303aa9b35d2213561ab52f8415136c1cdabee37b28cb4e909cb02128a4693b6e1d4c37b36da1eb603ffd18752b566f97355a8d14113974756cf59ceb3

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 bac4bae81b691ce3c15f05b6e9063e08
SHA1 8b012d50318bdc868097d3f6cf1d7db7c55f3d04
SHA256 f5271dfddd6ba8b37ea950cb839439d4d38cf0de0400b6fb9f2cad4ed87b41e2
SHA512 7ece1da4398f3ad0c65e99b2807ffdaeb89c8397eccf5e5763ed67498151a27cf06297326c651b91c560a0a29532a46d68a715a0dcf133c7dc055e0e1e5309d2

memory/2168-35-0x00000000011C0000-0x00000000015C6000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 8ad28e79941ce3e002804dfe1722ea87
SHA1 f0a6461b893023261056dcb0dcfab0c21615a24f
SHA256 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512 de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 488e9ca1377ac6a7952f122520fab933
SHA1 b29f32f46806632fbc3fe706cc862989f7944669
SHA256 a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c

\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 f263e07e90109e09ff4e5e5419136c39
SHA1 2935f14136ba18825bf6942ce0db8ef4984f9176
SHA256 dab0fcfdf3cfe20720876485a5eac1700974dee37e06b5e71c5bc89c02e5fdd2
SHA512 cb0173e92acfd3729aeb801ef8ecbeb4d35e1b09dfd47365e8889b856fd214a56189f29635e859b9cdb2ce2c8ee0ef3551d110200627ac41ba9b516c91c2ee14

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 55082b61c8c331e92b32f4a1ace3f1f0
SHA1 6b485e30084efd8c03bba513f3e61977ac7c2456
SHA256 6a2068ec8368f8037ec87bc18600afe60da6d1a63ee9a38fe29a1f78e275d5f9
SHA512 a487c7d9f5eaf8c126fc73913016d044f1dd116183f95d28ceb7acb293e7deee84d61173c5390ba5f4808884a7e4accfe4c0e762b49c497b7bbb91d7cb58234b

memory/2168-393-0x00000000011C0000-0x00000000015C6000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 5b132f3ee089bc927545e96451c76a92
SHA1 5ebf65c40ad6ecf56f4bb8510384fb8df5b69d70
SHA256 51e3825628662ba364701e8b5a9005f19d8d9f0579a3853f4aae3d5dbe4398c1
SHA512 5680e51b7eaf8eb4fd3e68370703b03abb985927c0d5982fafe29a122990d66e093d23d50f4a7120a7a9ba6057a982c24e1fe4f5b611af5a178d3946acbcbe2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 22:01

Reported

2024-06-12 22:04

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_265426359 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
GB 158.120.18.91:443 secure.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 control.rsc-app26-02.logmeinrescue-enterprise.com udp
US 158.120.25.156:443 control.rsc-app26-02.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.18.120.158.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 156.25.120.158.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 735ef1b70fad1fba9793abd27a803803
SHA1 0e082f539a1e9fc9fca3141613e813fc2e113779
SHA256 6881582e0dc0dcdcb9009b6cce6a0ba369d2372a7405dcbad6ce8d9425fcb68b
SHA512 4edeebc090af8feba67d04ddb44ad84f36dcc3a2918f3166ade99ab04422ccb0a4f4785ff95f7f7fe4319766f73128907a373b2a2c018eb5771a519936b6165e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 5632fd18f63daecf89bb97fd9ce16498
SHA1 ae71cc4fa464f95a1f3b9aec35bc3efcef050c09
SHA256 6931b1d510a5ce817b68fa479622b40458986c99202c85051655df6a1fa824ed
SHA512 f18faef303aa9b35d2213561ab52f8415136c1cdabee37b28cb4e909cb02128a4693b6e1d4c37b36da1eb603ffd18752b566f97355a8d14113974756cf59ceb3

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 fbff9022ca6db8d4b9cdf67012081769
SHA1 cd5ddb07d9fa0c6e49d630d61d4c6a015391b32c
SHA256 a749e7847167f0f8dad0e69944478878bc78e644589aa1252b746cca4e3b07f1
SHA512 1df64921d20fd01cbb434ad996c9148ca042ad015ca9abfde53cbd6b6569deb5ce10b5b6c2fdd4ea0366c24362d22898dfe0f1b41e0cdc99e799b921e696e589

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 bac4bae81b691ce3c15f05b6e9063e08
SHA1 8b012d50318bdc868097d3f6cf1d7db7c55f3d04
SHA256 f5271dfddd6ba8b37ea950cb839439d4d38cf0de0400b6fb9f2cad4ed87b41e2
SHA512 7ece1da4398f3ad0c65e99b2807ffdaeb89c8397eccf5e5763ed67498151a27cf06297326c651b91c560a0a29532a46d68a715a0dcf133c7dc055e0e1e5309d2

memory/2732-34-0x00000000031E0000-0x00000000031E1000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 8ad28e79941ce3e002804dfe1722ea87
SHA1 f0a6461b893023261056dcb0dcfab0c21615a24f
SHA256 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512 de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 488e9ca1377ac6a7952f122520fab933
SHA1 b29f32f46806632fbc3fe706cc862989f7944669
SHA256 a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 f263e07e90109e09ff4e5e5419136c39
SHA1 2935f14136ba18825bf6942ce0db8ef4984f9176
SHA256 dab0fcfdf3cfe20720876485a5eac1700974dee37e06b5e71c5bc89c02e5fdd2
SHA512 cb0173e92acfd3729aeb801ef8ecbeb4d35e1b09dfd47365e8889b856fd214a56189f29635e859b9cdb2ce2c8ee0ef3551d110200627ac41ba9b516c91c2ee14

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 ebe93baf261cbec2c267bf6df8da9ebd
SHA1 87cab7a821ae544968c893e5de80204f1686ad57
SHA256 f2f77bdbc7e58f135135624316ed06befa631165f1c180e600749ee43e48a82d
SHA512 2694f5e9527766d2bddd696461befadc7c94fde32a18a038c499398b25ee4602638e6a429465cb72481d2aeaf83e08bd39790ac03c60b25737ddb28e066d6968

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 d710e2a358eaf88dbad87de386cd6613
SHA1 4210cd611a5d03cba68781541bda3a75807ee8d7
SHA256 392fc242084881625dc35ac40bf0d9dc6460d6e70e3b81a9ff3b6e6bf6b1ba7c
SHA512 b703daa58cf8e1a667442409a5201e12b040efeb7dc69ec071444a4a18ff20b354840be0e504a224b6b2923895e35d956ebb4a53d4aa57b3e214514d75ab15b3

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 d8798fb4576cb81451c28fe2bdd43e8e
SHA1 a45cb074b52c372e5dfd4966c9a17b9eaa7daa7b
SHA256 a09b6bb1b1b877d30d9aca5ad7a8294bff9d37dbf0e4869e74017087584c510f
SHA512 c589c4709f9c2c0144689c4f882cb68cd7402220c101f341346deae3b8667ac9cbae7c4848d592cc73b6a99a1f620ebaf9b5c08f901475e125fe36e49f7cb690