Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:26

General

  • Target

    2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe

  • Size

    1.8MB

  • MD5

    f6680aaa924df0c0b58dd6533b2ced87

  • SHA1

    d5aaffa2e9d92cfb99b42e8de23d83837452365c

  • SHA256

    11969f6223faf66e4ea0d42751d650ac09307b28f7718d794b892f087ae1efe7

  • SHA512

    e33cb12419ecf5dc7d5149c28f8ee28e110c3aca98c79b0bfb90d01a762684963ec46007f02f7d6e7c5b385fe8d141b090009509cca5f0e05b0d0f0fa51f0ae5

  • SSDEEP

    24576:i6AGAwDs8N8xsjIQJO2QPNLY9z3Jz8NTjxSKzdHOEJRbbDTtnn2Ehm+HpF0X:iGsziMmONP1Y9z3x8NVz/zTxn2ErHL0X

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
      "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
    Filesize

    134KB

    MD5

    633cf56611302de249dd0fab08cabb8c

    SHA1

    5d7c78f0dc299f9be19c86aed4884af58219ae89

    SHA256

    505c42dbd7901ac7eba5de3d2c0799e8e13943d887c2409cc5ee15a56e77b948

    SHA512

    4af7ba25df392c91d4d24314f00f3144fff503e59af7a2a072cde3d340e00813d45c4e60941c5f57aa275d773447ea70a4dbc693d0362bfa8aa5001c13ab0227

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
    Filesize

    97B

    MD5

    cfb67bfe783ea40c5571b0f96f1616ec

    SHA1

    50d99b6f8ea52bc48c25fdeb6131a5e3cf606dfc

    SHA256

    91c4673e31a81f3ac5d0a78f5f6befe632de2045f62136a5bd5fc82f84b461da

    SHA512

    403c0dc1066858b3beff94b60ad3d1106479c691bba00c99a463a49cc6b26b404faa974388cfb415ff880c74d35eb3d938f8d999feb60aec52d459d2960ca701

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
    Filesize

    3.8MB

    MD5

    6500a048afb723496c17bd622f8e7672

    SHA1

    2c690925c69f1c8b94e57e913f88f05595ed203a

    SHA256

    1403315ab840346f24f2b06689b7b273ca17ebc4a45fa9fbe97a4ef273a26718

    SHA512

    32003ad20a22c7d04f87d4384082446ce898fd97e64e6615364bef3a102569422abdaff4c54558c25f7793c6408bf33f3e9b529e006e3216c71cebed687caee6

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp
    Filesize

    7KB

    MD5

    e69cf584632107614b643e318a2b3f76

    SHA1

    0e10ec0c33d888886db2126b6825b05ddfdb2982

    SHA256

    375070d317e3de5471ea5ee0906a9cff3084497d6a69d6b07c9d4de69ddc3c6f

    SHA512

    31f3de5040504f314d83e03ad1c64979284326b3892cf45bd67c65fd85245a3b815f7622aa59c174c582eec984a6a351cc5fa1c5ec8c3f27683498d1cf0f0c2e

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt
    Filesize

    530B

    MD5

    98a547aa8f1d3fcb5a9f5b16e94f4502

    SHA1

    9e0f42eb7a9bb317f3e49996bd51746e075ed19e

    SHA256

    aab79372f338a06f9c019b6343e570192f28adb77659692934f4a163c13fd906

    SHA512

    65474d2349064ed1fde212d1a76e4ff55213ff1e32ba6b2acf9dd194408387613993b6f7f5edc7ab00e43c8b2357e77a8a289f7ea3edec7d377061decde725b5

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll
    Filesize

    230KB

    MD5

    3a118c52940441758c2141b021bb3851

    SHA1

    aea323917d755a6fe685cb772cf2c23e92efa096

    SHA256

    79b1c5fb3f2a921c2d6daefa936bc7361f48966dccdc82e1c1905900abfc7e6d

    SHA512

    9e6ecde6f298b1d111e0fbaa5833dec9c5fcd320f3cb2aff43374452a09612ba2f098ae1b97e0936e4bbffa8a7c3aa72f45b56fb281a85ceac6803fbe436c353

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico
    Filesize

    48KB

    MD5

    51fa8f4746f1a481c5ea25931e99ed77

    SHA1

    76a78677e527a0564533d90ed16fe5d7da8102e2

    SHA256

    ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7

    SHA512

    c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
    Filesize

    5KB

    MD5

    19ec62d0d20ab0ab84de70583e1c2bf4

    SHA1

    0ba4c6b35e7370ed73eebd33407bf1719f27aaf1

    SHA256

    50ba295bcadfddf9119f61c3fcc778936d9778c457bf5bdd34bf8b816771e929

    SHA512

    c2042d7d1a4779483b8f339238c040e0bd829de90bdb6dcae5794daf494c750b976433a413ff089cf98e9b65d7caf3e9adc7c26bdd6cadb002fef0931b3fd847

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
    Filesize

    3KB

    MD5

    5232ffc1a1f72fe256b073d08fe34817

    SHA1

    11de43377eb6fb8d68ff6a64f854edde8aa735a7

    SHA256

    a49a4b1030799dac4dad3450ead7e15f9267e2903ea157a362ebd69e00e63cf6

    SHA512

    b7bad02563b1fca98e7530cb79682c8dbbe0f669afea560a8255fccb6c451ec191c3c3ea8aa78b375832bc8f330e2a26f9ffca5e3081cbec1fcfbe26ce02f655

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log
    Filesize

    346B

    MD5

    bbc21f3bb44297821dc2221f3220b0c5

    SHA1

    6ed0c780a9b1149a881eb61993196002ad9818fb

    SHA256

    ad6498a536ddece3d94a8b0759ef2e7fcf355d72bcde77e07582e6e6353c4c9d

    SHA512

    f7f5495b6b5d1bb31b7869d46076faa9f7d3393b4493af62666f6dd07e5c45592aa46ff81534af9a83e32b3f43e5e67746e68a151ec50d4b4c062ccea9571b08

  • memory/4760-34-0x0000000003330000-0x0000000003331000-memory.dmp
    Filesize

    4KB