bae6f805d4aca2df35d818473dede4e39ccfd661bb997303844026aeff8c74c4

General

Target

PHOTO-GOLAYA.exe
Size

238KB
MD5

bd3875791f0a36ed9122352e1b4fe189
SHA1

a3dff7bd641755b5c8b64c4aab59738ec3842d60
SHA256

1973e4168c5aa035cdc9797ffdede9fac7e84064be5019f533a4ac3de2edef0f
SHA512

1709eff81fc9ee3760f3d6128a228655cadd04144d1f877e2c0a04e6ce2215eeb6c2acebca02d741f3a6090a239f1f652547e4c3badcc99db64dc35a8379ff67
SSDEEP

3072:tBAp5XhKpN4eOyVTGfhEClj8jTk+0hd255d5q5hQ2+Cgw5CKHm:obXE9OiTGfhEClq9uk5d5q5hQXJJUm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1396	WScript.exe
5	1396	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\Uninstall.exe	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.cross	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\nu kak bi vsua hernya.fos	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\nu kak bi vsua hernya.fos	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\xranilise_vsei_figni_tut.bok	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\xranilise_vsei_figni_tut.bok	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.cross	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\Uninstall.ini	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1756	1460	PHOTO-GOLAYA.exe	26
PID 1460 wrote to memory of 1756	1460	PHOTO-GOLAYA.exe	26
PID 1460 wrote to memory of 1756	1460	PHOTO-GOLAYA.exe	26
PID 1460 wrote to memory of 1756	1460	PHOTO-GOLAYA.exe	26
PID 1460 wrote to memory of 1396	1460	PHOTO-GOLAYA.exe	28
PID 1460 wrote to memory of 1396	1460	PHOTO-GOLAYA.exe	28
PID 1460 wrote to memory of 1396	1460	PHOTO-GOLAYA.exe	28
PID 1460 wrote to memory of 1396	1460	PHOTO-GOLAYA.exe	28

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.cross

Filesize
1KB

MD5
34d7456a4891f37beb13dcbd036ed75a

SHA1
f64de50386a18592499f36871d7f9aa5f2a94af4

SHA256
286c730af7e132f6e5ce4c421902e6ce9a1155580b4b76f5e79c9540d89bd8fc

SHA512
218cd5e9e416c033451508148af8884c79aa594d8d967b43d749eb608616b775296c03c33844aeff553c65f347f7d2a01af6f2a4369b442ee05798979e7eb6ac

Download Submit
C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.vbs

Filesize
1KB

MD5
34d7456a4891f37beb13dcbd036ed75a

SHA1
f64de50386a18592499f36871d7f9aa5f2a94af4

SHA256
286c730af7e132f6e5ce4c421902e6ce9a1155580b4b76f5e79c9540d89bd8fc

SHA512
218cd5e9e416c033451508148af8884c79aa594d8d967b43d749eb608616b775296c03c33844aeff553c65f347f7d2a01af6f2a4369b442ee05798979e7eb6ac

Download Submit
C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat

Filesize
1KB

MD5
30c3e9c19b53c874e11ebe892b8e482a

SHA1
7c1691acac06d80bdb9008afe846219e87cddd58

SHA256
620071de936ca49df84e241c96cdc171e048ba34156b2cd82dd3593c7b40e7a4

SHA512
3dbaf16c611e143e93160a91f66e7f4d4e7c974cf7994a8a77d540cd77b18066987fb289f66cd8b088850ba8cf587212655aadb7acb0efa9ea19a402b0998e8a

Download Submit
C:\Program Files (x86)\idol ya poka_\no_lover_simp\xranilise_vsei_figni_tut.bok

Filesize
95B

MD5
c92529232d9a24e2bda875c082a00cc0

SHA1
540ab3f9fe1ff856d8d58ec32edc250514c83c53

SHA256
fd7381efc28d01c97a99fe03bb5d232b56bcdc38faac3a836168e3e10badffab

SHA512
f1f107f715ce91fb4b84e4875532e18b97fde182820ae54eed382250a5f921f2435c73ae5d8cb0c84db7843539e900e71d55740eaa8251b4b25f968ca31149ed

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
67bc55178d81571ab2195b11e2f63969

SHA1
734274c92e86e2434019235f389f75c41fcb14d0

SHA256
2d6ee3c359ab382cbd20fe4e85c460e8254e40babe35400f4259a790a8c7eacc

SHA512
5e3958075637e016f97edac81f61a9b10f9c090227ca8108cbd38753861bbb5fca19c8560032ea7291d625f66da73e3bee5be1426d119ee3343dfd76369ab525

Download Submit
memory/1460-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing