2537dd19b836a893720e5f3c95bbf23c7fb69ab880778ce5dd100c3fb8d45ba6

General

Target

PHOTO-GOLAYA.exe
Size

149KB
MD5

bb56c5bb89c3b94f370473b957aece84
SHA1

4139ddb92122333d61e57c97cbd75a91bd8a42ed
SHA256

b3928bb091873840a406cb0f0c3f5f35fb8c04d729b407672c498f6a78e74f8c
SHA512

ff6a55323b554e88d96d3ac29c9e0187f295af7c7065a2bf20b5fe494bdb3068f422142631bc39b24e4174957095e99afffa162065740934f17d94c6cab1a374
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiztfVOO0krXu:AbXE9OiTGfhEClq9pf76

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4424	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F856A0DB-C1CC-4C04-87C7-3F6629277CB4}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E107ED40-6B94-4470-9ADC-3365D2505598}.catalogItem	svchost.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Produc\New\nuashks.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\samisok.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nadopilitsa.nabazu	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\Produc\New\nadopilitsa.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Produc\New\poppets.txt	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nevedomaya.hernya	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nadopilitsa.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Produc\New\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\Produc\New\Uninstall.ini	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2212	2228	PHOTO-GOLAYA.exe	75
PID 2228 wrote to memory of 2212	2228	PHOTO-GOLAYA.exe	75
PID 2228 wrote to memory of 2212	2228	PHOTO-GOLAYA.exe	75
PID 2212 wrote to memory of 4424	2212	cmd.exe	77
PID 2212 wrote to memory of 4424	2212	cmd.exe	77
PID 2212 wrote to memory of 4424	2212	cmd.exe	77
PID 2228 wrote to memory of 2352	2228	PHOTO-GOLAYA.exe	78
PID 2228 wrote to memory of 2352	2228	PHOTO-GOLAYA.exe	78
PID 2228 wrote to memory of 2352	2228	PHOTO-GOLAYA.exe	78

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Produc\New\nuashks.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\nadopilitsa.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\samisok.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Produc\New\nadopilitsa.nabazu

Filesize
234B

MD5
6c86f55825faf8d78c73a75593532b62

SHA1
b588b22149a5ea676e748637b5273df66874df94

SHA256
f0f5980f257615ea251f33cec0bb508210a348348b5384b9c72c969e26f854ec

SHA512
8f55b699454ac573d72c2488c39fd4935f569438929651afbfe911c8302fd2a9e29036a655118aa272d6e9664734c23b605ff61e440640c2cd9474c4373b6ef2

Download Submit
C:\Program Files (x86)\Produc\New\nadopilitsa.vbs

Filesize
234B

MD5
6c86f55825faf8d78c73a75593532b62

SHA1
b588b22149a5ea676e748637b5273df66874df94

SHA256
f0f5980f257615ea251f33cec0bb508210a348348b5384b9c72c969e26f854ec

SHA512
8f55b699454ac573d72c2488c39fd4935f569438929651afbfe911c8302fd2a9e29036a655118aa272d6e9664734c23b605ff61e440640c2cd9474c4373b6ef2

Download Submit
C:\Program Files (x86)\Produc\New\nevedomaya.hernya

Filesize
44B

MD5
909307255b6031a469dd1ee6bf4d3e88

SHA1
634ab51e9344f086c2270896d446530a34fac605

SHA256
e7ec60ff4476cd07a52c82818783ab82535187092b85eab3e33d7855c64d0ea7

SHA512
d69902aa1e5006c54fbc97f2fc8d62c522089d6d4b22c06070391a49c200566d6f8c1b9ddde4f5e402e6ce11a454a7a00a59d4521424f8d3515f134fa9c34a37

Download Submit
C:\Program Files (x86)\Produc\New\nuashks.bat

Filesize
3KB

MD5
5344c1ee5d19842f875b732e28d78df5

SHA1
3d6dd120c45c4e2c7da6e73d0d2a2bf44ab62c08

SHA256
4f444d593d36894b9f31ac5d34ed0da77dd193caeb08e59c6e0b9697a0404d05

SHA512
82eec69b768350757f6a1ad72b62d0ec800f90ddb8d264de06b8e3ba3c3eb7875acbd7d69f52e646fff4f6e1de42d47630379a6eec3984415a7446410bd998c1

Download Submit
C:\Program Files (x86)\Produc\New\poppets.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Produc\New\samisok.vbs

Filesize
766B

MD5
d75b4ac2afa8da8d78931cb84e36f6b9

SHA1
5d17b6aace7772f0ea3a2abcf404267180460dd0

SHA256
fbdcd852e988e5356e979c673aa93b363c182545aadf03d02dcba556bacfaf43

SHA512
df5df025b16b1bce547f0ae3f5694e8856b68c2df3009cc6e96ce386fc263dd7a5c189f76baa386b825192fbf901a33ae2aec77f8ba17a1e8b029fe96cbf7f7c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads