Overview

overview

8

Static

static

PHOTO-DEVOCHKA.exe

windows7-x64

8

PHOTO-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 14:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    238KB

  • MD5

    1414a0cf3ae3455f7445753aa9ef0ac9

  • SHA1

    c6e63022a267155926638e028ba0bfafe614ff15

  • SHA256

    2acd2fd6a3fbb4fe40a62ba571ed6015fdbec4a0a6aec9ccde3f33cbc803fee7

  • SHA512

    939e9f2dca756893d04a1619537ee7e71c7eda27ebf9785b16fe0e892327ba23d2bbc54d82b97e590d803ce01d89087eaf24b330572aa5ba14c0668d9faf29b0

  • SSDEEP

    6144:zbXE9OiTGfhEClq9rZXpdKw/F4qweYG3/jk8hqfFyBgRY7JJUm:/U9XiuiI

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:2396
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops file in Drivers directory
      PID:1608

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat
          Filesize

          1KB

          MD5

          74acc3839b6022585e2c1c7f7ad53f72

          SHA1

          7a5dee077413095eae8e8291ff82807644cd5912

          SHA256

          3be6d3561d4332cffcd516d9758b7ca63a59e9de3c1a859ca92e379963faf590

          SHA512

          9aefb31bd6544059f4c327b437b593a185cc0d06d07a4a7422362892aabdcaee80db85f0d1fb73c3e6c4da557b6726394e4403db8c3594f85e2c47934bf5bc38

          Download Submit

        • C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog
          Filesize

          106B

          MD5

          74305d205702e48e96da6265224b456f

          SHA1

          387686c3598b5d9bb084f1597aeb3c1687b8b001

          SHA256

          afc5e57f3536cc17c46c377efe3746f80079b1917597bb3430298ddb570a3faf

          SHA512

          67fb29190052df27d2a5166a9de5233b64037aac5d00cb31c986850bfcb91f6df8927aa76140dcb126cd8f82eb8dc6c5aaef87816ec5505f176ff62286fafdf0

          Download Submit

        • C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll
          Filesize

          1KB

          MD5

          17007b4656d76b453d7306cfd09a8565

          SHA1

          e908c6bebc96f295b29c78913bb595bfdc2c04a8

          SHA256

          2d1763c8e83f20f5b33f06f677b17ef8288c42ef64fccef432ba452c72bd9f3d

          SHA512

          406068fd0570cac510915f8d80cc045ea6afa69dd5653d47d2ea0b675c13a71d5b74d05e163d56c7f94786b4f99c34dd9ff9f8b9a75e85e6e9de0902d2e44a37

          Download Submit

        • C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs
          Filesize

          1KB

          MD5

          17007b4656d76b453d7306cfd09a8565

          SHA1

          e908c6bebc96f295b29c78913bb595bfdc2c04a8

          SHA256

          2d1763c8e83f20f5b33f06f677b17ef8288c42ef64fccef432ba452c72bd9f3d

          SHA512

          406068fd0570cac510915f8d80cc045ea6afa69dd5653d47d2ea0b675c13a71d5b74d05e163d56c7f94786b4f99c34dd9ff9f8b9a75e85e6e9de0902d2e44a37

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          f2c5d10ad27bb489a71a16e71b70e8b4

          SHA1

          5154928e4445092cedd422c549817c7a50e59d76

          SHA256

          e085c03394954c9b369c0a6f8704062b3c6ab932208fe6061e7a5a5bac851428

          SHA512

          2f01c24aa2cc579b5d77c13a6b2af9f76738f7868c30a665ea0a4759d80032fbb451a1bbf406554223898a3c2ca586d4749a10b445823f28ef0585acbe57edf9

          Download Submit