Overview

overview

7

Static

static

1

2024-10-06...ny.exe

windows7-x64

7

2024-10-06...ny.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-06_a7bf65818d46158c7b30868eefc7e491_bkransomware_karagany.exe

  • Size

    10.9MB

  • MD5

    a7bf65818d46158c7b30868eefc7e491

  • SHA1

    38d4a8f69bc5056d3e73f7c6763099cd02e865c3

  • SHA256

    b8b7371cde124baf99f1c7fa947906ce7ce72b918a835c43eeadcf356a971c07

  • SHA512

    87a6ba10a05162f515292fde7530ed052d08723ad547ea3ce1227168b32cf32d11b7ff904807b0bb019f91198260f2f025b378bdc727ef54eca4425c8adfd023

  • SSDEEP

    196608:PLbYQVG2JOguavkNqkTf9ABa/MXvd4wdbOj93pL2hDcsqjZ72Oz+Arm5g1xFPld0:jbYlQRb8HW4w4lgosWZ6OEyVW

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-06_a7bf65818d46158c7b30868eefc7e491_bkransomware_karagany.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-06_a7bf65818d46158c7b30868eefc7e491_bkransomware_karagany.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\join.me.exe
      "C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\join.me.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\LMIGuardianSvc.exe
        C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\LMIGuardianSvc /escort 1544 /CUSTOM JoinMe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\LMIGuardianDll.dll
    Filesize

    1.5MB

    MD5

    3d5b26f5076fbe6e5bfc12170ff9c205

    SHA1

    2f3402e0413b5d064d9f849dd912f73f6199880c

    SHA256

    442b9dc4c1ad721da400c7b0539da0d278f41a93740b6913e34b400bec9d1ff7

    SHA512

    89587a9d40a1f769b6da12dd32fee5bd09c5c93a8a95f0dcca336eb1ab1fe9e94a5895ca6afd359429fa6edf056bd5f971bd9d0b8f009be9d957ca70c2a88904

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\LMIGuardianSvc.exe
    Filesize

    402KB

    MD5

    34259f50b7826e57ebd146e30ad0c587

    SHA1

    8b77ca40d195c890d1bfc2ed4b346d55f1bbf4d3

    SHA256

    8603457211df3f9e74277105db2f6ab1915b99a29b1d1ec540d1442ee50313d2

    SHA512

    c3646523e941d2e6648ea6cc5b52c55feef7bc5d142052f5647b79d92fe5f2693fae3c650a5766a7b2cd9054b2a197886dcf41051d3d8b10c1f1d3b129414524

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\config.json
    Filesize

    354B

    MD5

    3532fc5043716979bf0dba5a5a005fe8

    SHA1

    9eb6eb7870e498f1e23cfd67cfea22ae48405289

    SHA256

    71f5b1791c90b2790b93a9ad13554ba3c374ba59d890b28a75fc91873f79d9cf

    SHA512

    920e3ec1f41ea070030b14b206e15b5ef1dd4f887ede3d07ff7f11c89cb6cab5064b1ce572ba46954aff07d2f5462dbea182d203ed363355deb86a7fae7b2d35

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\joiB100.tmp\join.me.exe
    Filesize

    24.3MB

    MD5

    7736b24ee7c26ef4159f054fa3f416c6

    SHA1

    eefafe97e7c23009a62124ce9f9f8743b7f1ffd5

    SHA256

    c69ba65f27e5289195dfb41b462ab3e1e7568d450592d7eba2d88b063ee84395

    SHA512

    58f1e61fe2eb8627690a53c4de505d2b22033fb135e5d551e29d8d9d4b01e40b54c6c893b287e9f02520f59fa0ac34a818d0e43c88baa3e13b5af90ec5256e1c

    Download Submit

  • C:\Users\Admin\AppData\Local\join.me\join.me.log
    Filesize

    1KB

    MD5

    211ab8833831a57461f0869a41fe110e

    SHA1

    bab83714ee873f737cba9a0bc9bf8e7fab73ce70

    SHA256

    0cc935d4be465c7fdaff64ebd1cf7d6a57548902f8a709abace668ff08f75f74

    SHA512

    18e3894457c62002f3def66362223d2c7ccc77810e63677fffeea3836bab70a02a31fb96a466c8efee98937e43ce7b175881e2d2995ad0176c01ac5171ad42f9

    Download Submit