Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 17:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe
-
Size
1.8MB
-
MD5
dc13a6e1633a19822451ca8d7669186d
-
SHA1
6503afcc303380358d480d9b664e921d1a1d46cc
-
SHA256
369c9e5b131132059e298b9b7d4110e1d88526211f5ddda97ced4dd323eca037
-
SHA512
de454523ddfb8a3a3c52b192f6fb2c27c1f8b8d63de2d9217780d68dd2030d917e4f84009ec179eaa330d6891bb8ca26b06294bec68d5a4df46bd9a50278ec1e
-
SSDEEP
49152:X9AdoX4s6K70P4cNuFidXCoBJneGUe6tQPKiJc:tAans4cNdNBJnes6tQPx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lmi_rescue.exepid process 3552 lmi_rescue.exe -
Loads dropped DLL 2 IoCs
Processes:
lmi_rescue.exepid process 3552 lmi_rescue.exe 3552 lmi_rescue.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lmi_rescue.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1981580648 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" lmi_rescue.exe -
Processes:
lmi_rescue.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lmi_rescue.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
lmi_rescue.exedescription ioc process File opened for modification \??\PhysicalDrive0 lmi_rescue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
lmi_rescue.exepid process 3552 lmi_rescue.exe 3552 lmi_rescue.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lmi_rescue.exedescription pid process Token: SeCreateGlobalPrivilege 3552 lmi_rescue.exe Token: SeCreateGlobalPrivilege 3552 lmi_rescue.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
lmi_rescue.exepid process 3552 lmi_rescue.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exedescription pid process target process PID 1716 wrote to memory of 3552 1716 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 1716 wrote to memory of 3552 1716 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 1716 wrote to memory of 3552 1716 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 1716 wrote to memory of 3552 1716 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe PID 1716 wrote to memory of 3552 1716 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe lmi_rescue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5f7c67b42655f17eae239f3229e373958
SHA1b85b6d61395d4d32d8f471a913129f6d63ceaee7
SHA2561cd30754dab9009d2b5b13aa940c8beb67ca7d3745ea7973dc2e167ba2de65f6
SHA5128b48f93f63c52bbcfc9be86361a946e3234111920a448c379126e3c16f1ff3d0ef5e80c27261c3854af4b67f9d7b13cdb1dac3d0080186f00c610c86754679af
-
Filesize
98B
MD5b42ee0a9809c791112305a8153d608cb
SHA11b6c31120c3a514dbfbdd8ca26ba273fc7d780b0
SHA256da370839df8bc3f04bf8c17fac30557a27eb3687d1650c24c4181e98d621d259
SHA51210a24fc9a8e05b5e2d859cdc37a6374b10130e9a9083b9f51d606ef34524d4e279fedd452139019fe34881f266654e35064c305d9f9319bdfeaf3f1148e00bdb
-
Filesize
210B
MD512c945835f367c0ad272ba7e5802e044
SHA152029d9a23bb414f7011e2ecd2c9d6b9ba41d1f3
SHA2566c70901bf3bf29c39605b6034986a4dd497070e02b86b9c61c2f0b2477475adf
SHA512064208bc6f0f38307e90df849a39724fbe18d510c2e797a68e664839c230e4b287faaa4209f188ee9260a12dd613f6f0cae0ff3076f68b1b5eb5e253426fed25
-
Filesize
3.9MB
MD5441009073bb9acb840e0cf2e50bf7226
SHA1aa7424f651a1347d061e033fe384ae1babecc19c
SHA256921730a30e98d64d8a4fd7a6eaf467b0db714c62e79acdbd092ef46fb612f89b
SHA5120375e0dabbe9d9cd9f057c95e714003cc419dc7fc6c116da462fe3a6e50b5d84856894290476d0f1a6e5510661874ff3d4b9e873e8c9a7d5ec3800ad291892a8
-
Filesize
7KB
MD5488e9ca1377ac6a7952f122520fab933
SHA1b29f32f46806632fbc3fe706cc862989f7944669
SHA256a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c
-
Filesize
500B
MD5ace33e340873d4e2c7846b10be335468
SHA13728d14bc3090f61ba7fc791a2c11e0720938683
SHA2563e9908bba36b958cbaafb2fc42ee7eed7bf815432230768f78d48e1736f24e99
SHA51298dc3c9fb880e0a29d799643a2d13dc26916d4340e99778d44cf1d995c5634ab454cafa3b653992b23353b19acdadb97c4773475e75be2e3c42597ebd8012773
-
Filesize
233KB
MD5854d190fd7b02caa1958fb343c92b402
SHA13d510716c839f2227c2436619d3cf38df9d0a2d0
SHA256187c9b071a26cafa124fdbbc67107d98af5f930990fab66f2df22f6858c2e2a1
SHA512041a4c0e895fe4d4efa6da91bf5c210e0232201b715a237d34e1c25285adaf537af3167ac7fc7c6869dfcc465e8606f37182d34c3a7c9137430431f65334a910
-
Filesize
26KB
MD58ad28e79941ce3e002804dfe1722ea87
SHA1f0a6461b893023261056dcb0dcfab0c21615a24f
SHA25663424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70
-
Filesize
1KB
MD5907c973f232e31e49a184519c3775d8e
SHA15bf7c8d16133b942c22087f44645c5c74cfa0e6b
SHA25655911c772a76d11bf16161f8cec1f8019e7c409fde3040145b3591891dfa46de
SHA512cf4b5b24664f5319e9e0e9c8e43c11a794d52b0a5399d7ddbc183ca03660dd8672b081e2548663a50a2013c8200346eef52ff426c215e935af422c3e8b3009c0
-
Filesize
4KB
MD598b1078fe542f40734969b870da3bc39
SHA1e29d0a6513eca6a0b731527521bc28c84ddc17bf
SHA256c4edeb361a733f1fdf4c071ae8cee6f8a19e32363022ce3298b1cdc4f2b76092
SHA51284ec4c5e828a3faf25947d205c925f88c6d180c80176f2a418e6a90c8955657d8f76e42e7b14ebcb2a6fd3b79c0f3572f0092052894ace188920eaa242badc8a
-
Filesize
6KB
MD56636f0417f7127ac8716490316ff203f
SHA1278ac4cabd621bbb69178b0d70f8f4dd5dafe039
SHA256bc430b96ce122d322eb5a944f3dfcd3110355ab5c3451cb6b8a8b3537ebcd152
SHA5121e3448a98b45e4f1cd037e26b8bc40bd42c54237724d5184377bddf077ca91a872af756f26a322b3135fbfdf5b6adc479bbe0e9f2e9c5089152436ccb2878258
-
Filesize
346B
MD516b6545b1bc20dc562bfd439aef564c3
SHA173376b7c5f59d84ee9b0c35e7398414d81b1b57d
SHA25673e1ab56e04df730f9638e03420730fb8da18244680ab023dc455915956da9f1
SHA51254ab0d1ed847db4737170a6991bb7c8b1e820bb435d882f7e21ce1264766607691941930b4d31dac4db38d295e392c530628b7bea7a605bedf37e8c12d94e816