Overview

overview

7

Static

static

1

2024-06-30...ny.exe

windows7-x64

7

2024-06-30...ny.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2024 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe

  • Size

    1.8MB

  • MD5

    7c676001cc452d83e544c00e398dd207

  • SHA1

    de7a90824e9b2e0b4d63e2ec3c55e7550f6f1d0f

  • SHA256

    99e039eaa6283b9404fc973096dc24906109d19b5a8f7f74a50d90c143b0772a

  • SHA512

    6df63fff83f90b03c724e708a4f00aedaa174c4e3191b5b780d68ca2b08b535d76dcfe286f59617d594d697368239469ccf7bbd1268a04c4656d4e0693431a22

  • SSDEEP

    24576:AyZEGubJg8R8AvZulu/U4B6xidIKkrZp4cy0vQzk+dsrERW1uUOVu0/UdSqdtPd2:LEpVg3AIlAw4IpdE7srVXHd5dtP4f0y

Score
7/10
bootkitevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-30_7c676001cc452d83e544c00e398dd207_bkransomware_karagany.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
      "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3384
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
    1⤵
      PID:4448

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
      Filesize

      134KB

      MD5

      7cf6bf74754b4de39943fed761fb837e

      SHA1

      724593f1c75943274adfa0564192ec2004367aa0

      SHA256

      4cda059840b0552fa78121576246a3745785ebc845def31253d5af0de98b77a7

      SHA512

      e3dd723100c5b298fe9605f33be4dc7c22118af6704e10de28d7e774539e3bc4e49907fdcbe84b5e21e3f93d7fbd5c8c79fe536fad8070a8b26c72625fee7599

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
      Filesize

      98B

      MD5

      de881783ea4bb851e299b9b6a4cf1d0e

      SHA1

      be8e1ab3b17192398f211a60c01bab6efd9a668e

      SHA256

      2c3ea79a6ae678c4e5b41504e6b0b07b7def503dd6dac6d7775a7f648554dc9a

      SHA512

      3f78e5ad8ce95d4166d71c0241090b8b91bebff63b42481cfdc650e8b9ff03f0ac5d44bb6b818cce38b61223e1cc1e352d980f9d66b58f7990f48f11a92e819b

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat
      Filesize

      212B

      MD5

      079beff7528450608da575d9e586fa89

      SHA1

      d260806c8bc11071f382b4f1be86284589607e61

      SHA256

      df0b85748785fc7e2edb89c7257e82434d5494c72c3436cf7a687446fec2735c

      SHA512

      482907e442207927cb85c2cccd4abeed3cc461f53d2776ff4cd7c427397195490b32c49829338737d4c95510e18210465a5d8beab185e9237bff837882583dad

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
      Filesize

      3.8MB

      MD5

      ce231f194297fa2b56cda3258ec94686

      SHA1

      b4498461c0f7a8622ce159d578d903df56cb68ae

      SHA256

      fd1e496e73ad49ad618bd2b15a9fcb580944f00ecec79b096089700048cf0251

      SHA512

      a5b3b60219c0b0b1702b945784c28831e19c08221e22d0bc06741e969cfa76218e05b055a7783b717004a1b4b7d06fb9743497ed3f1704bca4b026d7e7bf0786

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp
      Filesize

      7KB

      MD5

      d612a9e3f4cfc5e8f752021aeac055d5

      SHA1

      7df89a2208147fd5f81fd7255832fbb402b68531

      SHA256

      918d2ad08059dc59e0b2b2549085d696a7447f1d607eeb7d135546be96491c70

      SHA512

      ddd5d37d9a22d1a169db4775437accf96b8d51f73248da094242c62013f797a7d9907abf5e77b39982ee5e8d7789cb838531f97157c59662a7d7a15ffeffc589

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt
      Filesize

      549B

      MD5

      32ad673d728b83c31df88d48efdabefe

      SHA1

      62e091216d9762481869b0b23acaa9e988545efb

      SHA256

      eefccc2cef5226feb782be3c73697760ce4d39ec8d939ef161fbe52145db2503

      SHA512

      e09fc29b0eb2a8095924a0ca406f9e0218d1f3535f394adf4372701a3aaeca3834ef720f9ba1425aa883a7aa49f7affe83603137b258fe0fea1b290434d6140b

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll
      Filesize

      230KB

      MD5

      b56450e3b8209039b134827f8a668c7d

      SHA1

      26f77251e504530addbc4032c3646724d04d0399

      SHA256

      5a17eaf2a7e1afe2da9e6bcf665fe10e787af87147234e7ae901f1b55d65222c

      SHA512

      b0d728368f923444e3360188ae899674c9dd2df044829d9706a38fba0e823f87151dbd4763432299248ce69ab9a8aa43843587b00e981cf18170876320cb7d26

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico
      Filesize

      26KB

      MD5

      8ad28e79941ce3e002804dfe1722ea87

      SHA1

      f0a6461b893023261056dcb0dcfab0c21615a24f

      SHA256

      63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933

      SHA512

      de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log
      Filesize

      4KB

      MD5

      0b0807a4840787d9b1fe1bcdb113185b

      SHA1

      19e12e00f8b5be2381d7e89020f076a98839f877

      SHA256

      19293df661e9fbaf84b5a1bc8aa1acc1e950273b805489c6673319908e8f0082

      SHA512

      03b3ae52ce9959a0f853c86135fd7e44b6205d95ea5a61daa2089a9e7e2046444683c99608b894467d652c1b565f002bf467b5141a6fc139abd4502e58aec638

      Download Submit
    • C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log
      Filesize

      346B

      MD5

      dd4f0b148b5797a1ce7d744656fb372d

      SHA1

      403e45dd356fcf209c0606f3a4685ae6b379eff0

      SHA256

      464e643852fd70c699cbe6a4846e09a31d9af5ac6b4225fcf0f29fb37122e631

      SHA512

      bec82e038ed2a14edde5109956cb8b7d8ecc200fcf9c65fd2ca6193fc891e913ae6ada3b2652180b8d382e2d240cd810e3483f77265ad9974161f45eed0ecea9

      Download Submit
    • memory/3384-35-0x00000000014C0000-0x00000000014C1000-memory.dmp
      Filesize

      4KB

      Download