Overview
overview
8Static
static
4[email protected]
windows10_x64
1[email protected]...__.pdf
windows10_x64
1[email protected]...?.docx
windows10_x64
1[email protected]...?.docx
windows10_x64
1[email protected]...?.docx
windows10_x64
1[email protected]...??.pdf
windows10_x64
1[email protected]...??.exe
windows10_x64
8[email protected]
windows10_x64
1Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 01:04
Behavioral task
behavioral2
Sample
[email protected]/20_10_2021_01_6101_21____________________________.pdf
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
[email protected]/??? ?? ??????????.docx
Resource
win10-en-20211208
Behavioral task
behavioral4
Sample
[email protected]/?????? ? ????????????????? ?? ????? ?? ???????.docx
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
[email protected]/?????? ? ??????????????? ?? ????? ?? ???????.docx
Resource
win10-en-20211208
Behavioral task
behavioral6
Sample
[email protected]/???????? ?? ????????? ???????????? ??????.pdf
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
[email protected]/????????? ??? ??????????? ???????? ? ??????????? ???????? ???????????????.exe
Resource
win10-en-20211208
General
-
Target
[email protected]/????????? ??? ??????????? ???????? ? ??????????? ???????? ???????????????.exe
-
Size
8.2MB
-
MD5
8b7fdb80ea30a675d776ee3c6a2b5062
-
SHA1
763b7358672ff8b8d7b3428faf4fedb3ad2caaad
-
SHA256
1ce18f816875dae22ff0e038c9792d28ea649f119428a6b7e5af47e080f1dddd
-
SHA512
46f8b2f046bf4166dfcd326ddf741f8bcd43fa78ef11af16f6040486f2ce5cd9c632d71d2746d8854e0c1b9d809a09dea557f8e7d4709344026b71fe9af8b06c
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
buchgal.exeirsetup.exepid process 4012 buchgal.exe 1392 irsetup.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx -
Loads dropped DLL 2 IoCs
Processes:
buchgal.exeirsetup.exepid process 4012 buchgal.exe 1392 irsetup.exe -
Drops file in Windows directory 1 IoCs
Processes:
irsetup.exedescription ioc process File opened for modification C:\Windows\Áóõãàëòåð ÇÓ ÌÈÄ (fox 8 to 9 updater) Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
buchgal.exeirsetup.exepid process 4012 buchgal.exe 1392 irsetup.exe 1392 irsetup.exe 1392 irsetup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
_________ ___ ___________ ________ _ ___________ ________ _______________.exebuchgal.exedescription pid process target process PID 2664 wrote to memory of 4012 2664 _________ ___ ___________ ________ _ ___________ ________ _______________.exe buchgal.exe PID 2664 wrote to memory of 4012 2664 _________ ___ ___________ ________ _ ___________ ________ _______________.exe buchgal.exe PID 2664 wrote to memory of 4012 2664 _________ ___ ___________ ________ _ ___________ ________ _______________.exe buchgal.exe PID 4012 wrote to memory of 1392 4012 buchgal.exe irsetup.exe PID 4012 wrote to memory of 1392 4012 buchgal.exe irsetup.exe PID 4012 wrote to memory of 1392 4012 buchgal.exe irsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\_________ ___ ___________ ________ _ ___________ ________ _______________.exe"C:\Users\Admin\AppData\Local\Temp\[email protected]\_________ ___ ___________ ________ _ ___________ ________ _______________.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2361464256-2201551969-2316606395-1000"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dllMD5
17fb71eb475eed801023017ea639ecd2
SHA13ba1996e23bfd918244dc17f0bfc05d373fcdc2c
SHA25692656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07
SHA512845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exeMD5
928719a4777f2febd0d3331b0ca54796
SHA18100b747dbe639f2b30ad8c99790d39236d74ddf
SHA256bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1
SHA51282d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exeMD5
928719a4777f2febd0d3331b0ca54796
SHA18100b747dbe639f2b30ad8c99790d39236d74ddf
SHA256bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1
SHA51282d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMD5
2a6851974cff57bee62a83c52ce68863
SHA1c3b22bb00c555274d6413ae48e3ed82103462ff6
SHA256d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1
SHA51225e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMD5
2a6851974cff57bee62a83c52ce68863
SHA1c3b22bb00c555274d6413ae48e3ed82103462ff6
SHA256d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1
SHA51225e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a
-
\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dllMD5
17fb71eb475eed801023017ea639ecd2
SHA13ba1996e23bfd918244dc17f0bfc05d373fcdc2c
SHA25692656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07
SHA512845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\quartai.dllMD5
1efe6ede674eb210b174d752ef46b406
SHA1d872590443d20ee5f5a5d9660e46cb9c67cb4101
SHA2566e81929956d64e44b91937abe574271eac629ea4872624f77726ba7777776cc7
SHA5129963186413fdffba3524b68d10b5ca889905783f073decb2b09b6ef6d6ceb1111b3d25b956cace48c24774320eb13b3be48574ae0680900a31bc0fc559509595