Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe
-
Size
1.8MB
-
MD5
f6680aaa924df0c0b58dd6533b2ced87
-
SHA1
d5aaffa2e9d92cfb99b42e8de23d83837452365c
-
SHA256
11969f6223faf66e4ea0d42751d650ac09307b28f7718d794b892f087ae1efe7
-
SHA512
e33cb12419ecf5dc7d5149c28f8ee28e110c3aca98c79b0bfb90d01a762684963ec46007f02f7d6e7c5b385fe8d141b090009509cca5f0e05b0d0f0fa51f0ae5
-
SSDEEP
24576:i6AGAwDs8N8xsjIQJO2QPNLY9z3Jz8NTjxSKzdHOEJRbbDTtnn2Ehm+HpF0X:iGsziMmONP1Y9z3x8NVz/zTxn2ErHL0X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lmi_rescue.exepid process 1648 lmi_rescue.exe -
Loads dropped DLL 3 IoCs
Processes:
2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exelmi_rescue.exepid process 1936 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe 1648 lmi_rescue.exe 1648 lmi_rescue.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lmi_rescue.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_979372298 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" lmi_rescue.exe -
Processes:
lmi_rescue.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lmi_rescue.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
lmi_rescue.exedescription ioc process File opened for modification \??\PhysicalDrive0 lmi_rescue.exe -
Modifies registry class 3 IoCs
Processes:
lmi_rescue.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe lmi_rescue.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications lmi_rescue.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp lmi_rescue.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
lmi_rescue.exepid process 1648 lmi_rescue.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lmi_rescue.exedescription pid process Token: SeCreateGlobalPrivilege 1648 lmi_rescue.exe Token: SeCreateGlobalPrivilege 1648 lmi_rescue.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
lmi_rescue.exepid process 1648 lmi_rescue.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exedescription pid process target process PID 1936 wrote to memory of 1648 1936 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe lmi_rescue.exe PID 1936 wrote to memory of 1648 1936 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe lmi_rescue.exe PID 1936 wrote to memory of 1648 1936 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe lmi_rescue.exe PID 1936 wrote to memory of 1648 1936 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe lmi_rescue.exe PID 1936 wrote to memory of 1648 1936 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe lmi_rescue.exe PID 1936 wrote to memory of 1648 1936 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe lmi_rescue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dllFilesize
134KB
MD5633cf56611302de249dd0fab08cabb8c
SHA15d7c78f0dc299f9be19c86aed4884af58219ae89
SHA256505c42dbd7901ac7eba5de3d2c0799e8e13943d887c2409cc5ee15a56e77b948
SHA5124af7ba25df392c91d4d24314f00f3144fff503e59af7a2a072cde3d340e00813d45c4e60941c5f57aa275d773447ea70a4dbc693d0362bfa8aa5001c13ab0227
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.datFilesize
98B
MD51b034a094e86f84ede54416c68f98b43
SHA187b71c3b47a369b63f403e21e5cc2c99df20f810
SHA2566204872323cc64fa21bf1356691e682dd08ddfea413e43fd9ea1f2442135f8fe
SHA512df3d0876e2dd85265397135f71e62aaa64b89c27d73f8eadc540d58dd7df4d6d617361d315b8a4d0ccc9d0a7c64eec218ff4e1d5f565393a991203b1f94dc90b
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exeFilesize
3.8MB
MD56500a048afb723496c17bd622f8e7672
SHA12c690925c69f1c8b94e57e913f88f05595ed203a
SHA2561403315ab840346f24f2b06689b7b273ca17ebc4a45fa9fbe97a4ef273a26718
SHA51232003ad20a22c7d04f87d4384082446ce898fd97e64e6615364bef3a102569422abdaff4c54558c25f7793c6408bf33f3e9b529e006e3216c71cebed687caee6
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmpFilesize
7KB
MD5e69cf584632107614b643e318a2b3f76
SHA10e10ec0c33d888886db2126b6825b05ddfdb2982
SHA256375070d317e3de5471ea5ee0906a9cff3084497d6a69d6b07c9d4de69ddc3c6f
SHA51231f3de5040504f314d83e03ad1c64979284326b3892cf45bd67c65fd85245a3b815f7622aa59c174c582eec984a6a351cc5fa1c5ec8c3f27683498d1cf0f0c2e
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txtFilesize
530B
MD598a547aa8f1d3fcb5a9f5b16e94f4502
SHA19e0f42eb7a9bb317f3e49996bd51746e075ed19e
SHA256aab79372f338a06f9c019b6343e570192f28adb77659692934f4a163c13fd906
SHA51265474d2349064ed1fde212d1a76e4ff55213ff1e32ba6b2acf9dd194408387613993b6f7f5edc7ab00e43c8b2357e77a8a289f7ea3edec7d377061decde725b5
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dllFilesize
230KB
MD53a118c52940441758c2141b021bb3851
SHA1aea323917d755a6fe685cb772cf2c23e92efa096
SHA25679b1c5fb3f2a921c2d6daefa936bc7361f48966dccdc82e1c1905900abfc7e6d
SHA5129e6ecde6f298b1d111e0fbaa5833dec9c5fcd320f3cb2aff43374452a09612ba2f098ae1b97e0936e4bbffa8a7c3aa72f45b56fb281a85ceac6803fbe436c353
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.icoFilesize
48KB
MD551fa8f4746f1a481c5ea25931e99ed77
SHA176a78677e527a0564533d90ed16fe5d7da8102e2
SHA256ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7
SHA512c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.logFilesize
6KB
MD5088857c90b903bc4bb792e64fb470560
SHA102ed136d1c40b287100d08fd91638d4971aaba64
SHA256bda602c3dd5e98494e30276396145efa992744fc00d96d1faf88c283fa2b0985
SHA512d59144be5e1aa4366e48b5ad98adc9506bd212810537cfac976f2918369d332b0082e98ddeb372e90c05636f5a0c00473ffddd84386524e224d872b7e40da5d1
-
memory/1648-34-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB