Malware Analysis Report

2024-09-23 12:06

Sample ID 240612-qptkgawfqb
Target 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany
SHA256 11969f6223faf66e4ea0d42751d650ac09307b28f7718d794b892f087ae1efe7
Tags
bootkit evasion persistence trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

11969f6223faf66e4ea0d42751d650ac09307b28f7718d794b892f087ae1efe7

Threat Level: Shows suspicious behavior

The file 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit evasion persistence trojan

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:26

Reported

2024-06-12 13:29

Platform

win7-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_979372298 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 6500a048afb723496c17bd622f8e7672
SHA1 2c690925c69f1c8b94e57e913f88f05595ed203a
SHA256 1403315ab840346f24f2b06689b7b273ca17ebc4a45fa9fbe97a4ef273a26718
SHA512 32003ad20a22c7d04f87d4384082446ce898fd97e64e6615364bef3a102569422abdaff4c54558c25f7793c6408bf33f3e9b529e006e3216c71cebed687caee6

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 98a547aa8f1d3fcb5a9f5b16e94f4502
SHA1 9e0f42eb7a9bb317f3e49996bd51746e075ed19e
SHA256 aab79372f338a06f9c019b6343e570192f28adb77659692934f4a163c13fd906
SHA512 65474d2349064ed1fde212d1a76e4ff55213ff1e32ba6b2acf9dd194408387613993b6f7f5edc7ab00e43c8b2357e77a8a289f7ea3edec7d377061decde725b5

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 3a118c52940441758c2141b021bb3851
SHA1 aea323917d755a6fe685cb772cf2c23e92efa096
SHA256 79b1c5fb3f2a921c2d6daefa936bc7361f48966dccdc82e1c1905900abfc7e6d
SHA512 9e6ecde6f298b1d111e0fbaa5833dec9c5fcd320f3cb2aff43374452a09612ba2f098ae1b97e0936e4bbffa8a7c3aa72f45b56fb281a85ceac6803fbe436c353

memory/1648-34-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 51fa8f4746f1a481c5ea25931e99ed77
SHA1 76a78677e527a0564533d90ed16fe5d7da8102e2
SHA256 ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7
SHA512 c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 e69cf584632107614b643e318a2b3f76
SHA1 0e10ec0c33d888886db2126b6825b05ddfdb2982
SHA256 375070d317e3de5471ea5ee0906a9cff3084497d6a69d6b07c9d4de69ddc3c6f
SHA512 31f3de5040504f314d83e03ad1c64979284326b3892cf45bd67c65fd85245a3b815f7622aa59c174c582eec984a6a351cc5fa1c5ec8c3f27683498d1cf0f0c2e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 633cf56611302de249dd0fab08cabb8c
SHA1 5d7c78f0dc299f9be19c86aed4884af58219ae89
SHA256 505c42dbd7901ac7eba5de3d2c0799e8e13943d887c2409cc5ee15a56e77b948
SHA512 4af7ba25df392c91d4d24314f00f3144fff503e59af7a2a072cde3d340e00813d45c4e60941c5f57aa275d773447ea70a4dbc693d0362bfa8aa5001c13ab0227

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 1b034a094e86f84ede54416c68f98b43
SHA1 87b71c3b47a369b63f403e21e5cc2c99df20f810
SHA256 6204872323cc64fa21bf1356691e682dd08ddfea413e43fd9ea1f2442135f8fe
SHA512 df3d0876e2dd85265397135f71e62aaa64b89c27d73f8eadc540d58dd7df4d6d617361d315b8a4d0ccc9d0a7c64eec218ff4e1d5f565393a991203b1f94dc90b

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 088857c90b903bc4bb792e64fb470560
SHA1 02ed136d1c40b287100d08fd91638d4971aaba64
SHA256 bda602c3dd5e98494e30276396145efa992744fc00d96d1faf88c283fa2b0985
SHA512 d59144be5e1aa4366e48b5ad98adc9506bd212810537cfac976f2918369d332b0082e98ddeb372e90c05636f5a0c00473ffddd84386524e224d872b7e40da5d1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:26

Reported

2024-06-12 13:29

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_979372298 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 8.8.8.8:53 secure.logmeinrescue.com udp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 6500a048afb723496c17bd622f8e7672
SHA1 2c690925c69f1c8b94e57e913f88f05595ed203a
SHA256 1403315ab840346f24f2b06689b7b273ca17ebc4a45fa9fbe97a4ef273a26718
SHA512 32003ad20a22c7d04f87d4384082446ce898fd97e64e6615364bef3a102569422abdaff4c54558c25f7793c6408bf33f3e9b529e006e3216c71cebed687caee6

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 98a547aa8f1d3fcb5a9f5b16e94f4502
SHA1 9e0f42eb7a9bb317f3e49996bd51746e075ed19e
SHA256 aab79372f338a06f9c019b6343e570192f28adb77659692934f4a163c13fd906
SHA512 65474d2349064ed1fde212d1a76e4ff55213ff1e32ba6b2acf9dd194408387613993b6f7f5edc7ab00e43c8b2357e77a8a289f7ea3edec7d377061decde725b5

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 bbc21f3bb44297821dc2221f3220b0c5
SHA1 6ed0c780a9b1149a881eb61993196002ad9818fb
SHA256 ad6498a536ddece3d94a8b0759ef2e7fcf355d72bcde77e07582e6e6353c4c9d
SHA512 f7f5495b6b5d1bb31b7869d46076faa9f7d3393b4493af62666f6dd07e5c45592aa46ff81534af9a83e32b3f43e5e67746e68a151ec50d4b4c062ccea9571b08

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 3a118c52940441758c2141b021bb3851
SHA1 aea323917d755a6fe685cb772cf2c23e92efa096
SHA256 79b1c5fb3f2a921c2d6daefa936bc7361f48966dccdc82e1c1905900abfc7e6d
SHA512 9e6ecde6f298b1d111e0fbaa5833dec9c5fcd320f3cb2aff43374452a09612ba2f098ae1b97e0936e4bbffa8a7c3aa72f45b56fb281a85ceac6803fbe436c353

memory/4760-34-0x0000000003330000-0x0000000003331000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 51fa8f4746f1a481c5ea25931e99ed77
SHA1 76a78677e527a0564533d90ed16fe5d7da8102e2
SHA256 ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7
SHA512 c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 e69cf584632107614b643e318a2b3f76
SHA1 0e10ec0c33d888886db2126b6825b05ddfdb2982
SHA256 375070d317e3de5471ea5ee0906a9cff3084497d6a69d6b07c9d4de69ddc3c6f
SHA512 31f3de5040504f314d83e03ad1c64979284326b3892cf45bd67c65fd85245a3b815f7622aa59c174c582eec984a6a351cc5fa1c5ec8c3f27683498d1cf0f0c2e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 633cf56611302de249dd0fab08cabb8c
SHA1 5d7c78f0dc299f9be19c86aed4884af58219ae89
SHA256 505c42dbd7901ac7eba5de3d2c0799e8e13943d887c2409cc5ee15a56e77b948
SHA512 4af7ba25df392c91d4d24314f00f3144fff503e59af7a2a072cde3d340e00813d45c4e60941c5f57aa275d773447ea70a4dbc693d0362bfa8aa5001c13ab0227

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 5232ffc1a1f72fe256b073d08fe34817
SHA1 11de43377eb6fb8d68ff6a64f854edde8aa735a7
SHA256 a49a4b1030799dac4dad3450ead7e15f9267e2903ea157a362ebd69e00e63cf6
SHA512 b7bad02563b1fca98e7530cb79682c8dbbe0f669afea560a8255fccb6c451ec191c3c3ea8aa78b375832bc8f330e2a26f9ffca5e3081cbec1fcfbe26ce02f655

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 cfb67bfe783ea40c5571b0f96f1616ec
SHA1 50d99b6f8ea52bc48c25fdeb6131a5e3cf606dfc
SHA256 91c4673e31a81f3ac5d0a78f5f6befe632de2045f62136a5bd5fc82f84b461da
SHA512 403c0dc1066858b3beff94b60ad3d1106479c691bba00c99a463a49cc6b26b404faa974388cfb415ff880c74d35eb3d938f8d999feb60aec52d459d2960ca701

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 19ec62d0d20ab0ab84de70583e1c2bf4
SHA1 0ba4c6b35e7370ed73eebd33407bf1719f27aaf1
SHA256 50ba295bcadfddf9119f61c3fcc778936d9778c457bf5bdd34bf8b816771e929
SHA512 c2042d7d1a4779483b8f339238c040e0bd829de90bdb6dcae5794daf494c750b976433a413ff089cf98e9b65d7caf3e9adc7c26bdd6cadb002fef0931b3fd847