Analysis Overview
SHA256
11969f6223faf66e4ea0d42751d650ac09307b28f7718d794b892f087ae1efe7
Threat Level: Shows suspicious behavior
The file 2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:26
Reported
2024-06-12 13:29
Platform
win7-20240508-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_979372298 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
Files
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
| MD5 | 6500a048afb723496c17bd622f8e7672 |
| SHA1 | 2c690925c69f1c8b94e57e913f88f05595ed203a |
| SHA256 | 1403315ab840346f24f2b06689b7b273ca17ebc4a45fa9fbe97a4ef273a26718 |
| SHA512 | 32003ad20a22c7d04f87d4384082446ce898fd97e64e6615364bef3a102569422abdaff4c54558c25f7793c6408bf33f3e9b529e006e3216c71cebed687caee6 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt
| MD5 | 98a547aa8f1d3fcb5a9f5b16e94f4502 |
| SHA1 | 9e0f42eb7a9bb317f3e49996bd51746e075ed19e |
| SHA256 | aab79372f338a06f9c019b6343e570192f28adb77659692934f4a163c13fd906 |
| SHA512 | 65474d2349064ed1fde212d1a76e4ff55213ff1e32ba6b2acf9dd194408387613993b6f7f5edc7ab00e43c8b2357e77a8a289f7ea3edec7d377061decde725b5 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll
| MD5 | 3a118c52940441758c2141b021bb3851 |
| SHA1 | aea323917d755a6fe685cb772cf2c23e92efa096 |
| SHA256 | 79b1c5fb3f2a921c2d6daefa936bc7361f48966dccdc82e1c1905900abfc7e6d |
| SHA512 | 9e6ecde6f298b1d111e0fbaa5833dec9c5fcd320f3cb2aff43374452a09612ba2f098ae1b97e0936e4bbffa8a7c3aa72f45b56fb281a85ceac6803fbe436c353 |
memory/1648-34-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico
| MD5 | 51fa8f4746f1a481c5ea25931e99ed77 |
| SHA1 | 76a78677e527a0564533d90ed16fe5d7da8102e2 |
| SHA256 | ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7 |
| SHA512 | c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp
| MD5 | e69cf584632107614b643e318a2b3f76 |
| SHA1 | 0e10ec0c33d888886db2126b6825b05ddfdb2982 |
| SHA256 | 375070d317e3de5471ea5ee0906a9cff3084497d6a69d6b07c9d4de69ddc3c6f |
| SHA512 | 31f3de5040504f314d83e03ad1c64979284326b3892cf45bd67c65fd85245a3b815f7622aa59c174c582eec984a6a351cc5fa1c5ec8c3f27683498d1cf0f0c2e |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
| MD5 | 633cf56611302de249dd0fab08cabb8c |
| SHA1 | 5d7c78f0dc299f9be19c86aed4884af58219ae89 |
| SHA256 | 505c42dbd7901ac7eba5de3d2c0799e8e13943d887c2409cc5ee15a56e77b948 |
| SHA512 | 4af7ba25df392c91d4d24314f00f3144fff503e59af7a2a072cde3d340e00813d45c4e60941c5f57aa275d773447ea70a4dbc693d0362bfa8aa5001c13ab0227 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
| MD5 | 1b034a094e86f84ede54416c68f98b43 |
| SHA1 | 87b71c3b47a369b63f403e21e5cc2c99df20f810 |
| SHA256 | 6204872323cc64fa21bf1356691e682dd08ddfea413e43fd9ea1f2442135f8fe |
| SHA512 | df3d0876e2dd85265397135f71e62aaa64b89c27d73f8eadc540d58dd7df4d6d617361d315b8a4d0ccc9d0a7c64eec218ff4e1d5f565393a991203b1f94dc90b |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
| MD5 | 088857c90b903bc4bb792e64fb470560 |
| SHA1 | 02ed136d1c40b287100d08fd91638d4971aaba64 |
| SHA256 | bda602c3dd5e98494e30276396145efa992744fc00d96d1faf88c283fa2b0985 |
| SHA512 | d59144be5e1aa4366e48b5ad98adc9506bd212810537cfac976f2918369d332b0082e98ddeb372e90c05636f5a0c00473ffddd84386524e224d872b7e40da5d1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:26
Reported
2024-06-12 13:29
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_979372298 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6680aaa924df0c0b58dd6533b2ced87_bkransomware_karagany.exe"
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
| US | 8.8.8.8:53 | secure.logmeinrescue.com | udp |
Files
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
| MD5 | 6500a048afb723496c17bd622f8e7672 |
| SHA1 | 2c690925c69f1c8b94e57e913f88f05595ed203a |
| SHA256 | 1403315ab840346f24f2b06689b7b273ca17ebc4a45fa9fbe97a4ef273a26718 |
| SHA512 | 32003ad20a22c7d04f87d4384082446ce898fd97e64e6615364bef3a102569422abdaff4c54558c25f7793c6408bf33f3e9b529e006e3216c71cebed687caee6 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt
| MD5 | 98a547aa8f1d3fcb5a9f5b16e94f4502 |
| SHA1 | 9e0f42eb7a9bb317f3e49996bd51746e075ed19e |
| SHA256 | aab79372f338a06f9c019b6343e570192f28adb77659692934f4a163c13fd906 |
| SHA512 | 65474d2349064ed1fde212d1a76e4ff55213ff1e32ba6b2acf9dd194408387613993b6f7f5edc7ab00e43c8b2357e77a8a289f7ea3edec7d377061decde725b5 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log
| MD5 | bbc21f3bb44297821dc2221f3220b0c5 |
| SHA1 | 6ed0c780a9b1149a881eb61993196002ad9818fb |
| SHA256 | ad6498a536ddece3d94a8b0759ef2e7fcf355d72bcde77e07582e6e6353c4c9d |
| SHA512 | f7f5495b6b5d1bb31b7869d46076faa9f7d3393b4493af62666f6dd07e5c45592aa46ff81534af9a83e32b3f43e5e67746e68a151ec50d4b4c062ccea9571b08 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll
| MD5 | 3a118c52940441758c2141b021bb3851 |
| SHA1 | aea323917d755a6fe685cb772cf2c23e92efa096 |
| SHA256 | 79b1c5fb3f2a921c2d6daefa936bc7361f48966dccdc82e1c1905900abfc7e6d |
| SHA512 | 9e6ecde6f298b1d111e0fbaa5833dec9c5fcd320f3cb2aff43374452a09612ba2f098ae1b97e0936e4bbffa8a7c3aa72f45b56fb281a85ceac6803fbe436c353 |
memory/4760-34-0x0000000003330000-0x0000000003331000-memory.dmp
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico
| MD5 | 51fa8f4746f1a481c5ea25931e99ed77 |
| SHA1 | 76a78677e527a0564533d90ed16fe5d7da8102e2 |
| SHA256 | ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7 |
| SHA512 | c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp
| MD5 | e69cf584632107614b643e318a2b3f76 |
| SHA1 | 0e10ec0c33d888886db2126b6825b05ddfdb2982 |
| SHA256 | 375070d317e3de5471ea5ee0906a9cff3084497d6a69d6b07c9d4de69ddc3c6f |
| SHA512 | 31f3de5040504f314d83e03ad1c64979284326b3892cf45bd67c65fd85245a3b815f7622aa59c174c582eec984a6a351cc5fa1c5ec8c3f27683498d1cf0f0c2e |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
| MD5 | 633cf56611302de249dd0fab08cabb8c |
| SHA1 | 5d7c78f0dc299f9be19c86aed4884af58219ae89 |
| SHA256 | 505c42dbd7901ac7eba5de3d2c0799e8e13943d887c2409cc5ee15a56e77b948 |
| SHA512 | 4af7ba25df392c91d4d24314f00f3144fff503e59af7a2a072cde3d340e00813d45c4e60941c5f57aa275d773447ea70a4dbc693d0362bfa8aa5001c13ab0227 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
| MD5 | 5232ffc1a1f72fe256b073d08fe34817 |
| SHA1 | 11de43377eb6fb8d68ff6a64f854edde8aa735a7 |
| SHA256 | a49a4b1030799dac4dad3450ead7e15f9267e2903ea157a362ebd69e00e63cf6 |
| SHA512 | b7bad02563b1fca98e7530cb79682c8dbbe0f669afea560a8255fccb6c451ec191c3c3ea8aa78b375832bc8f330e2a26f9ffca5e3081cbec1fcfbe26ce02f655 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
| MD5 | cfb67bfe783ea40c5571b0f96f1616ec |
| SHA1 | 50d99b6f8ea52bc48c25fdeb6131a5e3cf606dfc |
| SHA256 | 91c4673e31a81f3ac5d0a78f5f6befe632de2045f62136a5bd5fc82f84b461da |
| SHA512 | 403c0dc1066858b3beff94b60ad3d1106479c691bba00c99a463a49cc6b26b404faa974388cfb415ff880c74d35eb3d938f8d999feb60aec52d459d2960ca701 |
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
| MD5 | 19ec62d0d20ab0ab84de70583e1c2bf4 |
| SHA1 | 0ba4c6b35e7370ed73eebd33407bf1719f27aaf1 |
| SHA256 | 50ba295bcadfddf9119f61c3fcc778936d9778c457bf5bdd34bf8b816771e929 |
| SHA512 | c2042d7d1a4779483b8f339238c040e0bd829de90bdb6dcae5794daf494c750b976433a413ff089cf98e9b65d7caf3e9adc7c26bdd6cadb002fef0931b3fd847 |