cd0dfd49642fbb543c0fb90076150193ebfbb890263969e7da99bb042c06907b

General

Target

RUSSKAYA-GOLAYA.exe
Size

151KB
MD5

929249810766a10968b94e8a81612a8c
SHA1

a0feddd63c524bf302822a8e6aaaca3b3778905c
SHA256

e8d096ff9607f10651e1a3f1f472e49221bd32e2a3d1024ea163328b3df4dcc0
SHA512

289af9dd00b9f00faab0b019e4123c2f59efda915b8bfb0129f4e6e99cc44c5a564c951989d2553397ee57cb33835f07ad4e239ae67f97d39bf4abeaceb142e7
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi6uGoo4wFe:AbXE9OiTGfhEClq93dSe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1396	WScript.exe
4	1396	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\squirting.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\perednyaya.stn	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\hoshesh.chtobi.ya.ushel	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\globalki.vbs	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\lichnost\kolombo\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\energetika_zenshin.ico	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\kontrol.urv	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\Uninstall.exe	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1784	2044	RUSSKAYA-GOLAYA.exe	26
PID 2044 wrote to memory of 1784	2044	RUSSKAYA-GOLAYA.exe	26
PID 2044 wrote to memory of 1784	2044	RUSSKAYA-GOLAYA.exe	26
PID 2044 wrote to memory of 1784	2044	RUSSKAYA-GOLAYA.exe	26
PID 1784 wrote to memory of 1396	1784	cmd.exe	28
PID 1784 wrote to memory of 1396	1784	cmd.exe	28
PID 1784 wrote to memory of 1396	1784	cmd.exe	28
PID 1784 wrote to memory of 1396	1784	cmd.exe	28
PID 2044 wrote to memory of 1640	2044	RUSSKAYA-GOLAYA.exe	29
PID 2044 wrote to memory of 1640	2044	RUSSKAYA-GOLAYA.exe	29
PID 2044 wrote to memory of 1640	2044	RUSSKAYA-GOLAYA.exe	29
PID 2044 wrote to memory of 1640	2044	RUSSKAYA-GOLAYA.exe	29

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\lichnost\kolombo\squirting.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lichnost\kolombo\globalki.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1640

Network

No results found

64.62.191.222:4321

WScript.exe

152 B
3
64.62.191.222:4321

WScript.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs

Filesize
1KB

MD5
a5f3e6c751d3a9b4fd3b7e770a28dad9

SHA1
0c066c446e50b33fa92542d3ba52d9e19f9fee42

SHA256
7e9d60015fa4eb7eb778faf7e93d884b8a34f1c4ae90c50731c5490743bf50d8

SHA512
fb842ed3a2f97de0ad51b3920faf40a6064277e93a3e25df1ae6716041a18a63a00c5d2ebf8c8303bdec583ee3eef954c9267a4841f4313924f4e2193f6b4026

Download Submit
C:\Program Files (x86)\lichnost\kolombo\globalki.vbs

Filesize
269B

MD5
9a52d4ce90c3a194f4f08720fd82c011

SHA1
9417fbad36d2b4d6ca189f856edf03cdf4d59d2a

SHA256
acafe550fcd9300a5896e975e5b9529d29a748a057cc170791c1e936bfe86f39

SHA512
8af852a0f9f66fe1e3973f07cbf6cb260eb225c7c8aa1a40e4c6c3b2629058ae4b4bf75a66a652b852869e757449774749f6ff6d10d162e1fa9bb17d4018fbfe

Download Submit
C:\Program Files (x86)\lichnost\kolombo\kontrol.urv

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\lichnost\kolombo\perednyaya.stn

Filesize
72B

MD5
6cddddd8b0f363a86f561657954a35fb

SHA1
4907494320bfe2df258e2d69b1043c29c832ead5

SHA256
d910893fcdb753a0a65965037f87f87d3614b16e60e7065f0d7087022819309c

SHA512
8daf2ffb0ad6900b24d96f88e37ec3101c61737e3060e522e41c207797190d27d3cb86d7407b24a9df9f7544085e13d8f94e90ff1370cdf6c1f0c47a53818900

Download Submit
C:\Program Files (x86)\lichnost\kolombo\squirting.bat

Filesize
3KB

MD5
a699621849f277d5c0b55e41e0f99115

SHA1
848a67613851032f51bd1f6cd7da9a79e399f610

SHA256
c18d6e710d4e07f7d6e34def7e3b201b471e49711a8024dcce848968a4120e52

SHA512
a91593444dd9ec8ea3648a463a9976a3042e6df4ca105b81c88b8d1d291ecbdc4915062a2ad862c5fc25923647f0f093dcd1dfe103e3003389212235caf36d00

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e4052dfb3eb9ed5a08c840ef4c94dae0

SHA1
a0c8e665659f19d42ac2752b54f735fafdc91178

SHA256
21dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0

SHA512
f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79

Download Submit
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing