Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 17:50

General

  • Target

    2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe

  • Size

    1.8MB

  • MD5

    dc13a6e1633a19822451ca8d7669186d

  • SHA1

    6503afcc303380358d480d9b664e921d1a1d46cc

  • SHA256

    369c9e5b131132059e298b9b7d4110e1d88526211f5ddda97ced4dd323eca037

  • SHA512

    de454523ddfb8a3a3c52b192f6fb2c27c1f8b8d63de2d9217780d68dd2030d917e4f84009ec179eaa330d6891bb8ca26b06294bec68d5a4df46bd9a50278ec1e

  • SSDEEP

    49152:X9AdoX4s6K70P4cNuFidXCoBJneGUe6tQPKiJc:tAans4cNdNBJnes6tQPx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
      "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

    Filesize

    135KB

    MD5

    f7c67b42655f17eae239f3229e373958

    SHA1

    b85b6d61395d4d32d8f471a913129f6d63ceaee7

    SHA256

    1cd30754dab9009d2b5b13aa940c8beb67ca7d3745ea7973dc2e167ba2de65f6

    SHA512

    8b48f93f63c52bbcfc9be86361a946e3234111920a448c379126e3c16f1ff3d0ef5e80c27261c3854af4b67f9d7b13cdb1dac3d0080186f00c610c86754679af

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

    Filesize

    98B

    MD5

    b42ee0a9809c791112305a8153d608cb

    SHA1

    1b6c31120c3a514dbfbdd8ca26ba273fc7d780b0

    SHA256

    da370839df8bc3f04bf8c17fac30557a27eb3687d1650c24c4181e98d621d259

    SHA512

    10a24fc9a8e05b5e2d859cdc37a6374b10130e9a9083b9f51d606ef34524d4e279fedd452139019fe34881f266654e35064c305d9f9319bdfeaf3f1148e00bdb

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

    Filesize

    210B

    MD5

    12c945835f367c0ad272ba7e5802e044

    SHA1

    52029d9a23bb414f7011e2ecd2c9d6b9ba41d1f3

    SHA256

    6c70901bf3bf29c39605b6034986a4dd497070e02b86b9c61c2f0b2477475adf

    SHA512

    064208bc6f0f38307e90df849a39724fbe18d510c2e797a68e664839c230e4b287faaa4209f188ee9260a12dd613f6f0cae0ff3076f68b1b5eb5e253426fed25

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

    Filesize

    3.9MB

    MD5

    441009073bb9acb840e0cf2e50bf7226

    SHA1

    aa7424f651a1347d061e033fe384ae1babecc19c

    SHA256

    921730a30e98d64d8a4fd7a6eaf467b0db714c62e79acdbd092ef46fb612f89b

    SHA512

    0375e0dabbe9d9cd9f057c95e714003cc419dc7fc6c116da462fe3a6e50b5d84856894290476d0f1a6e5510661874ff3d4b9e873e8c9a7d5ec3800ad291892a8

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

    Filesize

    7KB

    MD5

    488e9ca1377ac6a7952f122520fab933

    SHA1

    b29f32f46806632fbc3fe706cc862989f7944669

    SHA256

    a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088

    SHA512

    591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

    Filesize

    500B

    MD5

    ace33e340873d4e2c7846b10be335468

    SHA1

    3728d14bc3090f61ba7fc791a2c11e0720938683

    SHA256

    3e9908bba36b958cbaafb2fc42ee7eed7bf815432230768f78d48e1736f24e99

    SHA512

    98dc3c9fb880e0a29d799643a2d13dc26916d4340e99778d44cf1d995c5634ab454cafa3b653992b23353b19acdadb97c4773475e75be2e3c42597ebd8012773

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

    Filesize

    233KB

    MD5

    854d190fd7b02caa1958fb343c92b402

    SHA1

    3d510716c839f2227c2436619d3cf38df9d0a2d0

    SHA256

    187c9b071a26cafa124fdbbc67107d98af5f930990fab66f2df22f6858c2e2a1

    SHA512

    041a4c0e895fe4d4efa6da91bf5c210e0232201b715a237d34e1c25285adaf537af3167ac7fc7c6869dfcc465e8606f37182d34c3a7c9137430431f65334a910

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

    Filesize

    26KB

    MD5

    8ad28e79941ce3e002804dfe1722ea87

    SHA1

    f0a6461b893023261056dcb0dcfab0c21615a24f

    SHA256

    63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933

    SHA512

    de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    1KB

    MD5

    907c973f232e31e49a184519c3775d8e

    SHA1

    5bf7c8d16133b942c22087f44645c5c74cfa0e6b

    SHA256

    55911c772a76d11bf16161f8cec1f8019e7c409fde3040145b3591891dfa46de

    SHA512

    cf4b5b24664f5319e9e0e9c8e43c11a794d52b0a5399d7ddbc183ca03660dd8672b081e2548663a50a2013c8200346eef52ff426c215e935af422c3e8b3009c0

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    4KB

    MD5

    98b1078fe542f40734969b870da3bc39

    SHA1

    e29d0a6513eca6a0b731527521bc28c84ddc17bf

    SHA256

    c4edeb361a733f1fdf4c071ae8cee6f8a19e32363022ce3298b1cdc4f2b76092

    SHA512

    84ec4c5e828a3faf25947d205c925f88c6d180c80176f2a418e6a90c8955657d8f76e42e7b14ebcb2a6fd3b79c0f3572f0092052894ace188920eaa242badc8a

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

    Filesize

    6KB

    MD5

    6636f0417f7127ac8716490316ff203f

    SHA1

    278ac4cabd621bbb69178b0d70f8f4dd5dafe039

    SHA256

    bc430b96ce122d322eb5a944f3dfcd3110355ab5c3451cb6b8a8b3537ebcd152

    SHA512

    1e3448a98b45e4f1cd037e26b8bc40bd42c54237724d5184377bddf077ca91a872af756f26a322b3135fbfdf5b6adc479bbe0e9f2e9c5089152436ccb2878258

  • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

    Filesize

    346B

    MD5

    16b6545b1bc20dc562bfd439aef564c3

    SHA1

    73376b7c5f59d84ee9b0c35e7398414d81b1b57d

    SHA256

    73e1ab56e04df730f9638e03420730fb8da18244680ab023dc455915956da9f1

    SHA512

    54ab0d1ed847db4737170a6991bb7c8b1e820bb435d882f7e21ce1264766607691941930b4d31dac4db38d295e392c530628b7bea7a605bedf37e8c12d94e816

  • memory/3552-34-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

    Filesize

    4KB