001f329a99a84175ebadb671170482baeef0338807e93f399825381e58807f37

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]/ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe
Size

8.2MB
MD5

8b7fdb80ea30a675d776ee3c6a2b5062
SHA1

763b7358672ff8b8d7b3428faf4fedb3ad2caaad
SHA256

1ce18f816875dae22ff0e038c9792d28ea649f119428a6b7e5af47e080f1dddd
SHA512

46f8b2f046bf4166dfcd326ddf741f8bcd43fa78ef11af16f6040486f2ce5cd9c632d71d2746d8854e0c1b9d809a09dea557f8e7d4709344026b71fe9af8b06c
SSDEEP

196608:egpFdSD4wJsrfJkVisvKWnVvJQxlNM6z+eQVgNuIQHmQqrRNLTswV:7eEwJji0VWDNM9eOgNVQHmQeRNLTs+

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	buchgal.exe

Executes dropped EXE 2 IoCs

pid	Process
1092	buchgal.exe
3780	irsetup.exe

Loads dropped DLL 2 IoCs

pid	Process
1092	buchgal.exe
3780	irsetup.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x0007000000023127-154.dat	upx
behavioral8/files/0x0007000000023127-159.dat	upx
behavioral8/files/0x0007000000023127-160.dat	upx
behavioral8/memory/3780-175-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral8/memory/3780-192-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral8/memory/3780-195-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral8/memory/3780-199-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral8/memory/3780-201-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral8/memory/3780-204-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral8/memory/3780-205-0x0000000000400000-0x000000000057E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Áóõãàëòåð ÇÓ ÌÈÄ (fox 8 to 9 updater) Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1092	buchgal.exe
3780	irsetup.exe
3780	irsetup.exe
3780	irsetup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1092	4316	ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe	82
PID 4316 wrote to memory of 1092	4316	ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe	82
PID 4316 wrote to memory of 1092	4316	ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe	82
PID 1092 wrote to memory of 3780	1092	buchgal.exe	84
PID 1092 wrote to memory of 3780	1092	buchgal.exe	84
PID 1092 wrote to memory of 3780	1092	buchgal.exe	84

C:\Users\Admin\AppData\Local\Temp\[email protected]\ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe
"C:\Users\Admin\AppData\Local\Temp\[email protected]\ПРОГРАММА ДЛЯ РЕГИСТРАЦИИ ПРИВИТЫХ В ФЕДЕРАЛЬН�.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1529757233-3489015626-3409890339-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dll

Filesize
50KB

MD5
17fb71eb475eed801023017ea639ecd2

SHA1
3ba1996e23bfd918244dc17f0bfc05d373fcdc2c

SHA256
92656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07

SHA512
845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.dll

Filesize
50KB

MD5
17fb71eb475eed801023017ea639ecd2

SHA1
3ba1996e23bfd918244dc17f0bfc05d373fcdc2c

SHA256
92656ad7e6d236a890167ef158364dec432e82cef7ec21f214191a535e405b07

SHA512
845bf27edfeed84b92810aefda87884bdfb2b0445c92ee766c90e22f0ceb098d0785000fe5b28a0188a622f9894e763f97702a39beba60012c90a9aaeabc7b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe

Filesize
8.2MB

MD5
928719a4777f2febd0d3331b0ca54796

SHA1
8100b747dbe639f2b30ad8c99790d39236d74ddf

SHA256
bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1

SHA512
82d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe

Filesize
8.2MB

MD5
928719a4777f2febd0d3331b0ca54796

SHA1
8100b747dbe639f2b30ad8c99790d39236d74ddf

SHA256
bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1

SHA512
82d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\buchgal.exe

Filesize
8.2MB

MD5
928719a4777f2febd0d3331b0ca54796

SHA1
8100b747dbe639f2b30ad8c99790d39236d74ddf

SHA256
bc5598da035b0d745358d0bc902c3defa217e2688b5836432254bdfd048781c1

SHA512
82d5ea447b7b13e7d4612e3c5b267d7dd22a26d07fc4e5e43f7a01aea88fe310f3e7bd6b1e966e9ac77e3c5af217a9a3006a4ebc3843311ebd9100d28234df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
54KB

MD5
488b46d903ca0733775cfacee8602b60

SHA1
d119ccdb1239509429f3f0c226682f75d61c3256

SHA256
8f9e6ecb25657d3c860c4240fd2525073d8b169cb42f88a4ddcc5fe2444e202b

SHA512
73e1b66dcc84aecfcc2ac7954e726c5cc950bce1bbca563f1fc23e9998f204df9ed122104b7d76f604e50d9dffd041eb72177e8dfdd8f5d01dfdb8f49a3db4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.JPG

Filesize
56KB

MD5
62ff5016af0b40b436491668bd046797

SHA1
1109236a3086c5e4a5e896c7edfac5b8946ac6d9

SHA256
30547400d372b5170d8d2bf5c53051b09178bdce7c2eb37b0019da196057169c

SHA512
104bcf92e0ac3885548c1344a8d0c06d083a4cf6c810ba7c0041469b70379cf962493713214f5365b4dbe702924cfdacf5b25ceeb1819a8c7ccb7905b2306c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\quartai.dll

Filesize
163KB

MD5
1efe6ede674eb210b174d752ef46b406

SHA1
d872590443d20ee5f5a5d9660e46cb9c67cb4101

SHA256
6e81929956d64e44b91937abe574271eac629ea4872624f77726ba7777776cc7

SHA512
9963186413fdffba3524b68d10b5ca889905783f073decb2b09b6ef6d6ceb1111b3d25b956cace48c24774320eb13b3be48574ae0680900a31bc0fc559509595

Download Submit
memory/3780-175-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3780-192-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3780-195-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3780-199-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3780-201-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3780-204-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3780-205-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download