221b11a9ca29581978c794f1ad4bad6865407194d8b9351e1d26a553fd541bf4

General

Target

[email protected]/????????? ??? ??????????? ???????? ? ??????????? ???????? ???????????????.exe
Size

8.2MB
MD5

8b7fdb80ea30a675d776ee3c6a2b5062
SHA1

763b7358672ff8b8d7b3428faf4fedb3ad2caaad
SHA256

1ce18f816875dae22ff0e038c9792d28ea649f119428a6b7e5af47e080f1dddd
SHA512

46f8b2f046bf4166dfcd326ddf741f8bcd43fa78ef11af16f6040486f2ce5cd9c632d71d2746d8854e0c1b9d809a09dea557f8e7d4709344026b71fe9af8b06c

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

buchgal.exeirsetup.exe

pid process

4012 buchgal.exe
1392 irsetup.exe

pid	process
4012	buchgal.exe
1392	irsetup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Loads dropped DLL 2 IoCs

Processes:

buchgal.exeirsetup.exe

pid process

4012 buchgal.exe
1392 irsetup.exe
Drops file in Windows directory 1 IoCs

Processes:

irsetup.exe

description ioc process

File opened for modification C:\Windows\Áóõãàëòåð ÇÓ ÌÈÄ (fox 8 to 9 updater) Setup Log.txt irsetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

buchgal.exeirsetup.exe

pid process

4012 buchgal.exe
1392 irsetup.exe
1392 irsetup.exe
1392 irsetup.exe

pid	process
4012	buchgal.exe
1392	irsetup.exe

description	ioc	process
File opened for modification	C:\Windows\Áóõãàëòåð ÇÓ ÌÈÄ (fox 8 to 9 updater) Setup Log.txt	irsetup.exe

pid	process
4012	buchgal.exe
1392	irsetup.exe
1392	irsetup.exe
1392	irsetup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

_________ ___ ___________ ________ _ ___________ ________ _______________.exebuchgal.exe

description	pid	process	target process
PID 2664 wrote to memory of 4012	2664	_________ ___ ___________ ________ _ ___________ ________ _______________.exe	buchgal.exe
PID 2664 wrote to memory of 4012	2664	_________ ___ ___________ ________ _ ___________ ________ _______________.exe	buchgal.exe
PID 2664 wrote to memory of 4012	2664	_________ ___ ___________ ________ _ ___________ ________ _______________.exe	buchgal.exe
PID 4012 wrote to memory of 1392	4012	buchgal.exe	irsetup.exe
PID 4012 wrote to memory of 1392	4012	buchgal.exe	irsetup.exe
PID 4012 wrote to memory of 1392	4012	buchgal.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]\_________ ___ ___________ ________ _ ___________ ________ _______________.exe
"C:\Users\Admin\AppData\Local\Temp\[email protected]\_________ ___ ___________ ________ _ ___________ ________ _______________.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2361464256-2201551969-2316606395-1000"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dll
MD5
17fb71eb475eed801023017ea639ecd2

SHA1
3ba1996e23bfd918244dc17f0bfc05d373fcdc2c

SHA256
92656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07

SHA512
845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe
MD5
928719a4777f2febd0d3331b0ca54796

SHA1
8100b747dbe639f2b30ad8c99790d39236d74ddf

SHA256
bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1

SHA512
82d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe
MD5
928719a4777f2febd0d3331b0ca54796

SHA1
8100b747dbe639f2b30ad8c99790d39236d74ddf

SHA256
bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1

SHA512
82d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dll
MD5
17fb71eb475eed801023017ea639ecd2

SHA1
3ba1996e23bfd918244dc17f0bfc05d373fcdc2c

SHA256
92656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07

SHA512
845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\quartai.dll
MD5
1efe6ede674eb210b174d752ef46b406

SHA1
d872590443d20ee5f5a5d9660e46cb9c67cb4101

SHA256
6e81929956d64e44b91937abe574271eac629ea4872624f77726ba7777776cc7

SHA512
9963186413fdffba3524b68d10b5ca889905783f073decb2b09b6ef6d6ceb1111b3d25b956cace48c24774320eb13b3be48574ae0680900a31bc0fc559509595

Download Submit

Analysis

Sharing