f2c29d9968979f5ffbed0908253e7b8ae2c1e93a69c4463bd21bb9f01d2118b5

General

Target

2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe
Size

1.8MB
MD5

ef5e8840cc6c5df91b09680117683395
SHA1

3fb6e12778581acc3afb6953725c6c137bb59658
SHA256

f2c29d9968979f5ffbed0908253e7b8ae2c1e93a69c4463bd21bb9f01d2118b5
SHA512

581d9a58ac72e1062645c1df745a35de913a11f5f393116e944c9ec93641a4b3fd8e25b9e236006ef8279e7d2a81641533a85882f7520f4fc04e0efd0f2ccdf0
SSDEEP

49152:nmAdoX4s6K70P4cNuFidXCoBJneGUe6tQPKiqc:mAans4cNdNBJnes6tQPx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	lmi_rescue.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	lmi_rescue.exe
2644	lmi_rescue.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	lmi_rescue.exe
2644	lmi_rescue.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2644	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	2644	lmi_rescue.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	lmi_rescue.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2644	2696	2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe	87
PID 2696 wrote to memory of 2644	2696	2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe	87
PID 2696 wrote to memory of 2644	2696	2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe	87
PID 2696 wrote to memory of 2644	2696	2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe	87
PID 2696 wrote to memory of 2644	2696	2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ef5e8840cc6c5df91b09680117683395_bkransomware_karagany.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
  "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

Filesize
135KB

MD5
f7c67b42655f17eae239f3229e373958

SHA1
b85b6d61395d4d32d8f471a913129f6d63ceaee7

SHA256
1cd30754dab9009d2b5b13aa940c8beb67ca7d3745ea7973dc2e167ba2de65f6

SHA512
8b48f93f63c52bbcfc9be86361a946e3234111920a448c379126e3c16f1ff3d0ef5e80c27261c3854af4b67f9d7b13cdb1dac3d0080186f00c610c86754679af

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\eula.txt

Filesize
1KB

MD5
81b9077540778d91e19b449ad999ff88

SHA1
285c9229a395ba722a42a11f2a686e44e5afc567

SHA256
4bfbf94aeb970362227ca47644d40f1e66f286a4a3f0193a9d0263fce210a48c

SHA512
088f8ce8d67a85e8fda478a88b26ebbb59e2cd155f89ced1055a7cb18a1fdfc3880a00a90bfe679181aab10d8aa8f2459875295a7b5c8af4749b61c5be753bf9

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

Filesize
3.9MB

MD5
441009073bb9acb840e0cf2e50bf7226

SHA1
aa7424f651a1347d061e033fe384ae1babecc19c

SHA256
921730a30e98d64d8a4fd7a6eaf467b0db714c62e79acdbd092ef46fb612f89b

SHA512
0375e0dabbe9d9cd9f057c95e714003cc419dc7fc6c116da462fe3a6e50b5d84856894290476d0f1a6e5510661874ff3d4b9e873e8c9a7d5ec3800ad291892a8

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

Filesize
3KB

MD5
0b6e0b52143b23dbda26db608371a92f

SHA1
d115121b4f5f0d18319b6065310b5b1161c1ca58

SHA256
3137a1024676559007671d503c383b6861d2d0a0fcb3d826ae17464475b8d904

SHA512
c944411fd6d28bf05e4b2d0933a3c9e39f86d72e914b162c88f0cb7691de60d084e32471c1d9c3b21a9a2b4b8ec332d050f7e97c6d5e1e9ead2ba77d5617f012

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

Filesize
829B

MD5
ba44deda957e87e5f6178c956e45d761

SHA1
365a2eab88a083120f361e6cd197f3895d7c3d3d

SHA256
e93e93f2c99615c552f2fb31358e2075f99fbfa54a7e3afd63838d50b865d8c5

SHA512
3ff65ea75ff41ccd6bdd9842163de5c32c80bef4889ed24ad62a15ea06d711578baef4fc3f5b069fab3c35fff9c43e0bc46ac8006ce53800a03f7b29195db962

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

Filesize
233KB

MD5
854d190fd7b02caa1958fb343c92b402

SHA1
3d510716c839f2227c2436619d3cf38df9d0a2d0

SHA256
187c9b071a26cafa124fdbbc67107d98af5f930990fab66f2df22f6858c2e2a1

SHA512
041a4c0e895fe4d4efa6da91bf5c210e0232201b715a237d34e1c25285adaf537af3167ac7fc7c6869dfcc465e8606f37182d34c3a7c9137430431f65334a910

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

Filesize
23KB

MD5
f2b8e2c273e91e3b5cc269b3d674f104

SHA1
a89ae8d2a211c56d33354e93fd9c8f5ea7cef711

SHA256
626af5b36588442241d8836493eae9c61f81738e4b53d9b44a67909fef5ddc08

SHA512
893738a66537f864f68360ec63aa46df81287338b6059a8e9624fa21bfd9a129a3a3cc7011044478bac42681cc95372672210aaade19cc4f560731f333f4dbbb

Download Submit
memory/2644-36-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads