Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 16:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe
-
Size
1.8MB
-
MD5
7c676001cc452d83e544c00e398dd207
-
SHA1
de7a90824e9b2e0b4d63e2ec3c55e7550f6f1d0f
-
SHA256
99e039eaa6283b9404fc973096dc24906109d19b5a8f7f74a50d90c143b0772a
-
SHA512
6df63fff83f90b03c724e708a4f00aedaa174c4e3191b5b780d68ca2b08b535d76dcfe286f59617d594d697368239469ccf7bbd1268a04c4656d4e0693431a22
-
SSDEEP
24576:AyZEGubJg8R8AvZulu/U4B6xidIKkrZp4cy0vQzk+dsrERW1uUOVu0/UdSqdtPd2:LEpVg3AIlAw4IpdE7srVXHd5dtP4f0y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lmi_rescue.exepid process 2936 lmi_rescue.exe -
Loads dropped DLL 3 IoCs
Processes:
2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exelmi_rescue.exepid process 2236 2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe 2936 lmi_rescue.exe 2936 lmi_rescue.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lmi_rescue.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_3979957847 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" lmi_rescue.exe -
Processes:
lmi_rescue.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lmi_rescue.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
lmi_rescue.exedescription ioc process File opened for modification \??\PhysicalDrive0 lmi_rescue.exe -
Modifies registry class 3 IoCs
Processes:
lmi_rescue.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Applications lmi_rescue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp lmi_rescue.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Applications\LMI_Rescue.exe lmi_rescue.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
lmi_rescue.exepid process 2936 lmi_rescue.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lmi_rescue.exedescription pid process Token: SeCreateGlobalPrivilege 2936 lmi_rescue.exe Token: SeCreateGlobalPrivilege 2936 lmi_rescue.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
lmi_rescue.exepid process 2936 lmi_rescue.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exedescription pid process target process PID 2236 wrote to memory of 2936 2236 2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe lmi_rescue.exe PID 2236 wrote to memory of 2936 2236 2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe lmi_rescue.exe PID 2236 wrote to memory of 2936 2236 2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe lmi_rescue.exe PID 2236 wrote to memory of 2936 2236 2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe lmi_rescue.exe PID 2236 wrote to memory of 2936 2236 2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe lmi_rescue.exe PID 2236 wrote to memory of 2936 2236 2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe lmi_rescue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.datFilesize
97B
MD5b15a11d207ab38e6fa349f4c073506c1
SHA165e35997a8bf2c0f094bf27da5bba9f6469a40ba
SHA256e997649911a9de3eeaf3614b7e39ccd350b1ca46fac82beecd999183a6c0da0a
SHA512937d9519852e1817ffeca90f458965146c4c344571258a552d30bf29b75d31e77f15c14cfc0ec99b43dd8eb21036845e413b300355b9828c1c13d2d5d5d7241e
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exeFilesize
3.8MB
MD5ce231f194297fa2b56cda3258ec94686
SHA1b4498461c0f7a8622ce159d578d903df56cb68ae
SHA256fd1e496e73ad49ad618bd2b15a9fcb580944f00ecec79b096089700048cf0251
SHA512a5b3b60219c0b0b1702b945784c28831e19c08221e22d0bc06741e969cfa76218e05b055a7783b717004a1b4b7d06fb9743497ed3f1704bca4b026d7e7bf0786
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmpFilesize
7KB
MD5d612a9e3f4cfc5e8f752021aeac055d5
SHA17df89a2208147fd5f81fd7255832fbb402b68531
SHA256918d2ad08059dc59e0b2b2549085d696a7447f1d607eeb7d135546be96491c70
SHA512ddd5d37d9a22d1a169db4775437accf96b8d51f73248da094242c62013f797a7d9907abf5e77b39982ee5e8d7789cb838531f97157c59662a7d7a15ffeffc589
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txtFilesize
549B
MD532ad673d728b83c31df88d48efdabefe
SHA162e091216d9762481869b0b23acaa9e988545efb
SHA256eefccc2cef5226feb782be3c73697760ce4d39ec8d939ef161fbe52145db2503
SHA512e09fc29b0eb2a8095924a0ca406f9e0218d1f3535f394adf4372701a3aaeca3834ef720f9ba1425aa883a7aa49f7affe83603137b258fe0fea1b290434d6140b
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dllFilesize
230KB
MD5b56450e3b8209039b134827f8a668c7d
SHA126f77251e504530addbc4032c3646724d04d0399
SHA2565a17eaf2a7e1afe2da9e6bcf665fe10e787af87147234e7ae901f1b55d65222c
SHA512b0d728368f923444e3360188ae899674c9dd2df044829d9706a38fba0e823f87151dbd4763432299248ce69ab9a8aa43843587b00e981cf18170876320cb7d26
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.icoFilesize
26KB
MD58ad28e79941ce3e002804dfe1722ea87
SHA1f0a6461b893023261056dcb0dcfab0c21615a24f
SHA25663424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70
-
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.logFilesize
6KB
MD59be39b82a297f3010edb3385f16db68b
SHA1daee2d1f8841e87334daf8a0eba6eb82a556873b
SHA256253a2326c08ef2a43c19cbe5622fb1d6857dd71b1b6a6bcbf233ab39abba5843
SHA51242e4f34fc2801277021fedef34496daa81c44580350a0a0addaa6f6e6c8b36f9d765ac42c702d35b5f75e1ee389b7d17f5c071b257ff5ce5abb67c1fc496a1f4
-
\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dllFilesize
134KB
MD57cf6bf74754b4de39943fed761fb837e
SHA1724593f1c75943274adfa0564192ec2004367aa0
SHA2564cda059840b0552fa78121576246a3745785ebc845def31253d5af0de98b77a7
SHA512e3dd723100c5b298fe9605f33be4dc7c22118af6704e10de28d7e774539e3bc4e49907fdcbe84b5e21e3f93d7fbd5c8c79fe536fad8070a8b26c72625fee7599
-
memory/2936-35-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB