Analysis

  • max time kernel
    119s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    19-01-2022 01:04

General

  • Target

    [email protected]/????????? ??? ??????????? ???????? ? ??????????? ???????? ???????????????.exe

  • Size

    8.2MB

  • MD5

    8b7fdb80ea30a675d776ee3c6a2b5062

  • SHA1

    763b7358672ff8b8d7b3428faf4fedb3ad2caaad

  • SHA256

    1ce18f816875dae22ff0e038c9792d28ea649f119428a6b7e5af47e080f1dddd

  • SHA512

    46f8b2f046bf4166dfcd326ddf741f8bcd43fa78ef11af16f6040486f2ce5cd9c632d71d2746d8854e0c1b9d809a09dea557f8e7d4709344026b71fe9af8b06c

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]\_________ ___ ___________ ________ _ ___________ ________ _______________.exe
    "C:\Users\Admin\AppData\Local\Temp\[email protected]\_________ ___ ___________ ________ _ ___________ ________ _______________.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2361464256-2201551969-2316606395-1000"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dll
    MD5

    17fb71eb475eed801023017ea639ecd2

    SHA1

    3ba1996e23bfd918244dc17f0bfc05d373fcdc2c

    SHA256

    92656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07

    SHA512

    845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe
    MD5

    928719a4777f2febd0d3331b0ca54796

    SHA1

    8100b747dbe639f2b30ad8c99790d39236d74ddf

    SHA256

    bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1

    SHA512

    82d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe
    MD5

    928719a4777f2febd0d3331b0ca54796

    SHA1

    8100b747dbe639f2b30ad8c99790d39236d74ddf

    SHA256

    bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1

    SHA512

    82d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    MD5

    2a6851974cff57bee62a83c52ce68863

    SHA1

    c3b22bb00c555274d6413ae48e3ed82103462ff6

    SHA256

    d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

    SHA512

    25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    MD5

    2a6851974cff57bee62a83c52ce68863

    SHA1

    c3b22bb00c555274d6413ae48e3ed82103462ff6

    SHA256

    d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

    SHA512

    25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

  • \Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dll
    MD5

    17fb71eb475eed801023017ea639ecd2

    SHA1

    3ba1996e23bfd918244dc17f0bfc05d373fcdc2c

    SHA256

    92656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07

    SHA512

    845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\quartai.dll
    MD5

    1efe6ede674eb210b174d752ef46b406

    SHA1

    d872590443d20ee5f5a5d9660e46cb9c67cb4101

    SHA256

    6e81929956d64e44b91937abe574271eac629ea4872624f77726ba7777776cc7

    SHA512

    9963186413fdffba3524b68d10b5ca889905783f073decb2b09b6ef6d6ceb1111b3d25b956cace48c24774320eb13b3be48574ae0680900a31bc0fc559509595