Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 13:26

General

  • Target

    2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe

  • Size

    1.8MB

  • MD5

    f6680aaa924df0c0b58dd6533b2ced87

  • SHA1

    d5aaffa2e9d92cfb99b42e8de23d83837452365c

  • SHA256

    11969f6223faf66e4ea0d42751d650ac09307b28f7718d794b892f087ae1efe7

  • SHA512

    e33cb12419ecf5dc7d5149c28f8ee28e110c3aca98c79b0bfb90d01a762684963ec46007f02f7d6e7c5b385fe8d141b090009509cca5f0e05b0d0f0fa51f0ae5

  • SSDEEP

    24576:i6AGAwDs8N8xsjIQJO2QPNLY9z3Jz8NTjxSKzdHOEJRbbDTtnn2Ehm+HpF0X:iGsziMmONP1Y9z3x8NVz/zTxn2ErHL0X

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
      "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
    Filesize

    134KB

    MD5

    633cf56611302de249dd0fab08cabb8c

    SHA1

    5d7c78f0dc299f9be19c86aed4884af58219ae89

    SHA256

    505c42dbd7901ac7eba5de3d2c0799e8e13943d887c2409cc5ee15a56e77b948

    SHA512

    4af7ba25df392c91d4d24314f00f3144fff503e59af7a2a072cde3d340e00813d45c4e60941c5f57aa275d773447ea70a4dbc693d0362bfa8aa5001c13ab0227

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
    Filesize

    98B

    MD5

    1b034a094e86f84ede54416c68f98b43

    SHA1

    87b71c3b47a369b63f403e21e5cc2c99df20f810

    SHA256

    6204872323cc64fa21bf1356691e682dd08ddfea413e43fd9ea1f2442135f8fe

    SHA512

    df3d0876e2dd85265397135f71e62aaa64b89c27d73f8eadc540d58dd7df4d6d617361d315b8a4d0ccc9d0a7c64eec218ff4e1d5f565393a991203b1f94dc90b

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
    Filesize

    3.8MB

    MD5

    6500a048afb723496c17bd622f8e7672

    SHA1

    2c690925c69f1c8b94e57e913f88f05595ed203a

    SHA256

    1403315ab840346f24f2b06689b7b273ca17ebc4a45fa9fbe97a4ef273a26718

    SHA512

    32003ad20a22c7d04f87d4384082446ce898fd97e64e6615364bef3a102569422abdaff4c54558c25f7793c6408bf33f3e9b529e006e3216c71cebed687caee6

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp
    Filesize

    7KB

    MD5

    e69cf584632107614b643e318a2b3f76

    SHA1

    0e10ec0c33d888886db2126b6825b05ddfdb2982

    SHA256

    375070d317e3de5471ea5ee0906a9cff3084497d6a69d6b07c9d4de69ddc3c6f

    SHA512

    31f3de5040504f314d83e03ad1c64979284326b3892cf45bd67c65fd85245a3b815f7622aa59c174c582eec984a6a351cc5fa1c5ec8c3f27683498d1cf0f0c2e

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt
    Filesize

    530B

    MD5

    98a547aa8f1d3fcb5a9f5b16e94f4502

    SHA1

    9e0f42eb7a9bb317f3e49996bd51746e075ed19e

    SHA256

    aab79372f338a06f9c019b6343e570192f28adb77659692934f4a163c13fd906

    SHA512

    65474d2349064ed1fde212d1a76e4ff55213ff1e32ba6b2acf9dd194408387613993b6f7f5edc7ab00e43c8b2357e77a8a289f7ea3edec7d377061decde725b5

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll
    Filesize

    230KB

    MD5

    3a118c52940441758c2141b021bb3851

    SHA1

    aea323917d755a6fe685cb772cf2c23e92efa096

    SHA256

    79b1c5fb3f2a921c2d6daefa936bc7361f48966dccdc82e1c1905900abfc7e6d

    SHA512

    9e6ecde6f298b1d111e0fbaa5833dec9c5fcd320f3cb2aff43374452a09612ba2f098ae1b97e0936e4bbffa8a7c3aa72f45b56fb281a85ceac6803fbe436c353

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico
    Filesize

    48KB

    MD5

    51fa8f4746f1a481c5ea25931e99ed77

    SHA1

    76a78677e527a0564533d90ed16fe5d7da8102e2

    SHA256

    ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7

    SHA512

    c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
    Filesize

    6KB

    MD5

    088857c90b903bc4bb792e64fb470560

    SHA1

    02ed136d1c40b287100d08fd91638d4971aaba64

    SHA256

    bda602c3dd5e98494e30276396145efa992744fc00d96d1faf88c283fa2b0985

    SHA512

    d59144be5e1aa4366e48b5ad98adc9506bd212810537cfac976f2918369d332b0082e98ddeb372e90c05636f5a0c00473ffddd84386524e224d872b7e40da5d1

  • memory/1648-34-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB