Analysis
-
max time kernel
107s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2022 01:04
Behavioral task
behavioral2
Sample
[email protected]/ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe
Resource
win10v2004-20220812-en
General
-
Target
[email protected]/ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe
-
Size
8.2MB
-
MD5
8b7fdb80ea30a675d776ee3c6a2b5062
-
SHA1
763b7358672ff8b8d7b3428faf4fedb3ad2caaad
-
SHA256
1ce18f816875dae22ff0e038c9792d28ea649f119428a6b7e5af47e080f1dddd
-
SHA512
46f8b2f046bf4166dfcd326ddf741f8bcd43fa78ef11af16f6040486f2ce5cd9c632d71d2746d8854e0c1b9d809a09dea557f8e7d4709344026b71fe9af8b06c
-
SSDEEP
196608:egpFdSD4wJsrfJkVisvKWnVvJQxlNM6z+eQVgNuIQHmQqrRNLTswV:7eEwJji0VWDNM9eOgNVQHmQeRNLTs+
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
buchgal.exeirsetup.exepid process 2900 buchgal.exe 2372 irsetup.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx behavioral2/memory/2372-140-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral2/memory/2372-142-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral2/memory/2372-143-0x0000000000400000-0x000000000057E000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
buchgal.exeПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation buchgal.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe -
Loads dropped DLL 2 IoCs
Processes:
buchgal.exeirsetup.exepid process 2900 buchgal.exe 2372 irsetup.exe -
Drops file in Windows directory 1 IoCs
Processes:
irsetup.exedescription ioc process File opened for modification C:\Windows\Áóõãàëòåð ÇÓ ÌÈÄ (fox 8 to 9 updater) Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
irsetup.exepid process 2372 irsetup.exe 2372 irsetup.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
buchgal.exeirsetup.exepid process 2900 buchgal.exe 2372 irsetup.exe 2372 irsetup.exe 2372 irsetup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exebuchgal.exedescription pid process target process PID 724 wrote to memory of 2900 724 ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe buchgal.exe PID 724 wrote to memory of 2900 724 ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe buchgal.exe PID 724 wrote to memory of 2900 724 ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe buchgal.exe PID 2900 wrote to memory of 2372 2900 buchgal.exe irsetup.exe PID 2900 wrote to memory of 2372 2900 buchgal.exe irsetup.exe PID 2900 wrote to memory of 2372 2900 buchgal.exe irsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe"C:\Users\Admin\AppData\Local\Temp\[email protected]\ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2629973501-4017243118-3254762364-1000"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dllFilesize
50KB
MD517fb71eb475eed801023017ea639ecd2
SHA13ba1996e23bfd918244dc17f0bfc05d373fcdc2c
SHA25692656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07
SHA512845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dllFilesize
50KB
MD517fb71eb475eed801023017ea639ecd2
SHA13ba1996e23bfd918244dc17f0bfc05d373fcdc2c
SHA25692656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07
SHA512845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exeFilesize
8.2MB
MD5928719a4777f2febd0d3331b0ca54796
SHA18100b747dbe639f2b30ad8c99790d39236d74ddf
SHA256bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1
SHA51282d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exeFilesize
8.2MB
MD5928719a4777f2febd0d3331b0ca54796
SHA18100b747dbe639f2b30ad8c99790d39236d74ddf
SHA256bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1
SHA51282d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
562KB
MD52a6851974cff57bee62a83c52ce68863
SHA1c3b22bb00c555274d6413ae48e3ed82103462ff6
SHA256d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1
SHA51225e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
562KB
MD52a6851974cff57bee62a83c52ce68863
SHA1c3b22bb00c555274d6413ae48e3ed82103462ff6
SHA256d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1
SHA51225e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\quartai.dllFilesize
163KB
MD51efe6ede674eb210b174d752ef46b406
SHA1d872590443d20ee5f5a5d9660e46cb9c67cb4101
SHA2566e81929956d64e44b91937abe574271eac629ea4872624f77726ba7777776cc7
SHA5129963186413fdffba3524b68d10b5ca889905783f073decb2b09b6ef6d6ceb1111b3d25b956cace48c24774320eb13b3be48574ae0680900a31bc0fc559509595
-
memory/2372-137-0x0000000000000000-mapping.dmp
-
memory/2372-140-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB
-
memory/2372-142-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB
-
memory/2372-143-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB
-
memory/2900-132-0x0000000000000000-mapping.dmp