Analysis Overview
SHA256
ac76e67800396fa29f380ce6e79bf1a312d46f51324fae1d0e5e6be12b84e6d9
Threat Level: Shows suspicious behavior
The file 2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 22:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 22:01
Reported
2024-06-12 22:04
Platform
win7-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_265426359 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe"
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
Files
\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
| MD5 | 735ef1b70fad1fba9793abd27a803803 |
| SHA1 | 0e082f539a1e9fc9fca3141613e813fc2e113779 |
| SHA256 | 6881582e0dc0dcdcb9009b6cce6a0ba369d2372a7405dcbad6ce8d9425fcb68b |
| SHA512 | 4edeebc090af8feba67d04ddb44ad84f36dcc3a2918f3166ade99ab04422ccb0a4f4785ff95f7f7fe4319766f73128907a373b2a2c018eb5771a519936b6165e |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt
| MD5 | 5632fd18f63daecf89bb97fd9ce16498 |
| SHA1 | ae71cc4fa464f95a1f3b9aec35bc3efcef050c09 |
| SHA256 | 6931b1d510a5ce817b68fa479622b40458986c99202c85051655df6a1fa824ed |
| SHA512 | f18faef303aa9b35d2213561ab52f8415136c1cdabee37b28cb4e909cb02128a4693b6e1d4c37b36da1eb603ffd18752b566f97355a8d14113974756cf59ceb3 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll
| MD5 | bac4bae81b691ce3c15f05b6e9063e08 |
| SHA1 | 8b012d50318bdc868097d3f6cf1d7db7c55f3d04 |
| SHA256 | f5271dfddd6ba8b37ea950cb839439d4d38cf0de0400b6fb9f2cad4ed87b41e2 |
| SHA512 | 7ece1da4398f3ad0c65e99b2807ffdaeb89c8397eccf5e5763ed67498151a27cf06297326c651b91c560a0a29532a46d68a715a0dcf133c7dc055e0e1e5309d2 |
memory/2168-35-0x00000000011C0000-0x00000000015C6000-memory.dmp
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico
| MD5 | 8ad28e79941ce3e002804dfe1722ea87 |
| SHA1 | f0a6461b893023261056dcb0dcfab0c21615a24f |
| SHA256 | 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933 |
| SHA512 | de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp
| MD5 | 488e9ca1377ac6a7952f122520fab933 |
| SHA1 | b29f32f46806632fbc3fe706cc862989f7944669 |
| SHA256 | a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088 |
| SHA512 | 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c |
\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
| MD5 | f263e07e90109e09ff4e5e5419136c39 |
| SHA1 | 2935f14136ba18825bf6942ce0db8ef4984f9176 |
| SHA256 | dab0fcfdf3cfe20720876485a5eac1700974dee37e06b5e71c5bc89c02e5fdd2 |
| SHA512 | cb0173e92acfd3729aeb801ef8ecbeb4d35e1b09dfd47365e8889b856fd214a56189f29635e859b9cdb2ce2c8ee0ef3551d110200627ac41ba9b516c91c2ee14 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
| MD5 | 55082b61c8c331e92b32f4a1ace3f1f0 |
| SHA1 | 6b485e30084efd8c03bba513f3e61977ac7c2456 |
| SHA256 | 6a2068ec8368f8037ec87bc18600afe60da6d1a63ee9a38fe29a1f78e275d5f9 |
| SHA512 | a487c7d9f5eaf8c126fc73913016d044f1dd116183f95d28ceb7acb293e7deee84d61173c5390ba5f4808884a7e4accfe4c0e762b49c497b7bbb91d7cb58234b |
memory/2168-393-0x00000000011C0000-0x00000000015C6000-memory.dmp
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
| MD5 | 5b132f3ee089bc927545e96451c76a92 |
| SHA1 | 5ebf65c40ad6ecf56f4bb8510384fb8df5b69d70 |
| SHA256 | 51e3825628662ba364701e8b5a9005f19d8d9f0579a3853f4aae3d5dbe4398c1 |
| SHA512 | 5680e51b7eaf8eb4fd3e68370703b03abb985927c0d5982fafe29a122990d66e093d23d50f4a7120a7a9ba6057a982c24e1fe4f5b611af5a178d3946acbcbe2d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 22:01
Reported
2024-06-12 22:04
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_265426359 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_5654643528cdd52e8a3371553e989349_bkransomware_karagany.exe"
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | secure.logmeinrescue-enterprise.com | udp |
| GB | 158.120.18.91:443 | secure.logmeinrescue-enterprise.com | tcp |
| US | 8.8.8.8:53 | control.rsc-app26-02.logmeinrescue-enterprise.com | udp |
| US | 158.120.25.156:443 | control.rsc-app26-02.logmeinrescue-enterprise.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.18.120.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 156.25.120.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
| MD5 | 735ef1b70fad1fba9793abd27a803803 |
| SHA1 | 0e082f539a1e9fc9fca3141613e813fc2e113779 |
| SHA256 | 6881582e0dc0dcdcb9009b6cce6a0ba369d2372a7405dcbad6ce8d9425fcb68b |
| SHA512 | 4edeebc090af8feba67d04ddb44ad84f36dcc3a2918f3166ade99ab04422ccb0a4f4785ff95f7f7fe4319766f73128907a373b2a2c018eb5771a519936b6165e |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt
| MD5 | 5632fd18f63daecf89bb97fd9ce16498 |
| SHA1 | ae71cc4fa464f95a1f3b9aec35bc3efcef050c09 |
| SHA256 | 6931b1d510a5ce817b68fa479622b40458986c99202c85051655df6a1fa824ed |
| SHA512 | f18faef303aa9b35d2213561ab52f8415136c1cdabee37b28cb4e909cb02128a4693b6e1d4c37b36da1eb603ffd18752b566f97355a8d14113974756cf59ceb3 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log
| MD5 | fbff9022ca6db8d4b9cdf67012081769 |
| SHA1 | cd5ddb07d9fa0c6e49d630d61d4c6a015391b32c |
| SHA256 | a749e7847167f0f8dad0e69944478878bc78e644589aa1252b746cca4e3b07f1 |
| SHA512 | 1df64921d20fd01cbb434ad996c9148ca042ad015ca9abfde53cbd6b6569deb5ce10b5b6c2fdd4ea0366c24362d22898dfe0f1b41e0cdc99e799b921e696e589 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll
| MD5 | bac4bae81b691ce3c15f05b6e9063e08 |
| SHA1 | 8b012d50318bdc868097d3f6cf1d7db7c55f3d04 |
| SHA256 | f5271dfddd6ba8b37ea950cb839439d4d38cf0de0400b6fb9f2cad4ed87b41e2 |
| SHA512 | 7ece1da4398f3ad0c65e99b2807ffdaeb89c8397eccf5e5763ed67498151a27cf06297326c651b91c560a0a29532a46d68a715a0dcf133c7dc055e0e1e5309d2 |
memory/2732-34-0x00000000031E0000-0x00000000031E1000-memory.dmp
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico
| MD5 | 8ad28e79941ce3e002804dfe1722ea87 |
| SHA1 | f0a6461b893023261056dcb0dcfab0c21615a24f |
| SHA256 | 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933 |
| SHA512 | de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp
| MD5 | 488e9ca1377ac6a7952f122520fab933 |
| SHA1 | b29f32f46806632fbc3fe706cc862989f7944669 |
| SHA256 | a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088 |
| SHA512 | 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
| MD5 | f263e07e90109e09ff4e5e5419136c39 |
| SHA1 | 2935f14136ba18825bf6942ce0db8ef4984f9176 |
| SHA256 | dab0fcfdf3cfe20720876485a5eac1700974dee37e06b5e71c5bc89c02e5fdd2 |
| SHA512 | cb0173e92acfd3729aeb801ef8ecbeb4d35e1b09dfd47365e8889b856fd214a56189f29635e859b9cdb2ce2c8ee0ef3551d110200627ac41ba9b516c91c2ee14 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
| MD5 | ebe93baf261cbec2c267bf6df8da9ebd |
| SHA1 | 87cab7a821ae544968c893e5de80204f1686ad57 |
| SHA256 | f2f77bdbc7e58f135135624316ed06befa631165f1c180e600749ee43e48a82d |
| SHA512 | 2694f5e9527766d2bddd696461befadc7c94fde32a18a038c499398b25ee4602638e6a429465cb72481d2aeaf83e08bd39790ac03c60b25737ddb28e066d6968 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
| MD5 | d710e2a358eaf88dbad87de386cd6613 |
| SHA1 | 4210cd611a5d03cba68781541bda3a75807ee8d7 |
| SHA256 | 392fc242084881625dc35ac40bf0d9dc6460d6e70e3b81a9ff3b6e6bf6b1ba7c |
| SHA512 | b703daa58cf8e1a667442409a5201e12b040efeb7dc69ec071444a4a18ff20b354840be0e504a224b6b2923895e35d956ebb4a53d4aa57b3e214514d75ab15b3 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
| MD5 | d8798fb4576cb81451c28fe2bdd43e8e |
| SHA1 | a45cb074b52c372e5dfd4966c9a17b9eaa7daa7b |
| SHA256 | a09b6bb1b1b877d30d9aca5ad7a8294bff9d37dbf0e4869e74017087584c510f |
| SHA512 | c589c4709f9c2c0144689c4f882cb68cd7402220c101f341346deae3b8667ac9cbae7c4848d592cc73b6a99a1f620ebaf9b5c08f901475e125fe36e49f7cb690 |