Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 17:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe
-
Size
1.8MB
-
MD5
dc13a6e1633a19822451ca8d7669186d
-
SHA1
6503afcc303380358d480d9b664e921d1a1d46cc
-
SHA256
369c9e5b131132059e298b9b7d4110e1d88526211f5ddda97ced4dd323eca037
-
SHA512
de454523ddfb8a3a3c52b192f6fb2c27c1f8b8d63de2d9217780d68dd2030d917e4f84009ec179eaa330d6891bb8ca26b06294bec68d5a4df46bd9a50278ec1e
-
SSDEEP
49152:X9AdoX4s6K70P4cNuFidXCoBJneGUe6tQPKiJc:tAans4cNdNBJnes6tQPx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lmi_rescue.exepid process 2304 lmi_rescue.exe -
Loads dropped DLL 3 IoCs
Processes:
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exelmi_rescue.exepid process 2852 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe 2304 lmi_rescue.exe 2304 lmi_rescue.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lmi_rescue.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1981580648 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" lmi_rescue.exe -
Processes:
lmi_rescue.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lmi_rescue.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
lmi_rescue.exedescription ioc process File opened for modification \??\PhysicalDrive0 lmi_rescue.exe -
Modifies registry class 3 IoCs
Processes:
lmi_rescue.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications\LMI_Rescue.exe lmi_rescue.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications lmi_rescue.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp lmi_rescue.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
lmi_rescue.exepid process 2304 lmi_rescue.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lmi_rescue.exedescription pid process Token: SeCreateGlobalPrivilege 2304 lmi_rescue.exe Token: SeCreateGlobalPrivilege 2304 lmi_rescue.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
lmi_rescue.exepid process 2304 lmi_rescue.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exedescription pid process target process PID 2852 wrote to memory of 2304 2852 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 2852 wrote to memory of 2304 2852 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 2852 wrote to memory of 2304 2852 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 2852 wrote to memory of 2304 2852 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 2852 wrote to memory of 2304 2852 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 2852 wrote to memory of 2304 2852 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5f7c67b42655f17eae239f3229e373958
SHA1b85b6d61395d4d32d8f471a913129f6d63ceaee7
SHA2561cd30754dab9009d2b5b13aa940c8beb67ca7d3745ea7973dc2e167ba2de65f6
SHA5128b48f93f63c52bbcfc9be86361a946e3234111920a448c379126e3c16f1ff3d0ef5e80c27261c3854af4b67f9d7b13cdb1dac3d0080186f00c610c86754679af
-
Filesize
96B
MD5eb87f293be771cd3f4e7db5c7de07a30
SHA1e4455f4141b2c74d1b4adb8a1f2afd0816c3ba06
SHA256a229f45574dd4e27319f878fe9522300037b2f251588a211a56a950b8d6be2da
SHA512dd9ecff3a351394bca93b676f756d824a8a69efac0c2437cbe955c5f1016284358cace283fdc54ae7dac2d30796dd24ffe5c436a18fb7bbd7261a8647a4b836c
-
Filesize
3.9MB
MD5441009073bb9acb840e0cf2e50bf7226
SHA1aa7424f651a1347d061e033fe384ae1babecc19c
SHA256921730a30e98d64d8a4fd7a6eaf467b0db714c62e79acdbd092ef46fb612f89b
SHA5120375e0dabbe9d9cd9f057c95e714003cc419dc7fc6c116da462fe3a6e50b5d84856894290476d0f1a6e5510661874ff3d4b9e873e8c9a7d5ec3800ad291892a8
-
Filesize
7KB
MD5488e9ca1377ac6a7952f122520fab933
SHA1b29f32f46806632fbc3fe706cc862989f7944669
SHA256a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c
-
Filesize
500B
MD5ace33e340873d4e2c7846b10be335468
SHA13728d14bc3090f61ba7fc791a2c11e0720938683
SHA2563e9908bba36b958cbaafb2fc42ee7eed7bf815432230768f78d48e1736f24e99
SHA51298dc3c9fb880e0a29d799643a2d13dc26916d4340e99778d44cf1d995c5634ab454cafa3b653992b23353b19acdadb97c4773475e75be2e3c42597ebd8012773
-
Filesize
233KB
MD5854d190fd7b02caa1958fb343c92b402
SHA13d510716c839f2227c2436619d3cf38df9d0a2d0
SHA256187c9b071a26cafa124fdbbc67107d98af5f930990fab66f2df22f6858c2e2a1
SHA512041a4c0e895fe4d4efa6da91bf5c210e0232201b715a237d34e1c25285adaf537af3167ac7fc7c6869dfcc465e8606f37182d34c3a7c9137430431f65334a910
-
Filesize
26KB
MD58ad28e79941ce3e002804dfe1722ea87
SHA1f0a6461b893023261056dcb0dcfab0c21615a24f
SHA25663424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70
-
Filesize
8KB
MD50092ccf961adbe44e78c87e5930be434
SHA1f556afa0e11eb3c410b701c6d9cf1a1a630d1625
SHA2560f215d86744d0f84798f55839e30485b6fe43847b5b85d26ab124b75e4c8b02f
SHA512a1e18f631a0794fbf70b072a15fe667f8b4952f094983eba1f88e8bae7f04106471fba93b64959dae052788a2ddf65cdc7c4fd4d1c21a80c2214d49d86098182
-
Filesize
344B
MD52fad3dbfc737f774b51a6654958a47d3
SHA1dc7170525517d8322345515f27c3df359b11254d
SHA256c53c320540f1ecf2ee0d88a74dd4ec9781a1b0d83544dff22f96a6a6ce388bd3
SHA51209877effe6cf71977fd7944a94309fb394b0594619cd9913001bcb486a46187de61de5ed5a5f567774b85a461a8baae4bc31fb423fc4ac799ed79e0257e87a88
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b