8d3c3eab95c78492e74e181814bcc4ee20179e20624532420a6b4f9d18c2da23

General

Target

PHOTO-GOLAYA.exe
Size

150KB
MD5

c237cdbb2af3b3d54633c17505b551fd
SHA1

4bb27800290caa82502b343776c704eb139b6357
SHA256

118d9e99dcdbf4b5cac9bd32480ad70206743f5b2c4a96da9ff520c10869982d
SHA512

20178c92b19a9fa7a1c94e259cf29e395b258cba42ff10e439955ac6a63a8695da20f1076fb8c739de01c42386a7a54ce8f85e87fec9e19170aeb62156c428de
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiM5KjPWEHoOYbhwj:AbXE9OiTGfhEClq9dWEHoOD

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	472	WScript.exe
4	472	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\dus_dezodorant\mouyus\Uninstall.ini	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\tutunas.nistyak	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\90909090.ico	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\readme.txt	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 992	1228	PHOTO-GOLAYA.exe	28
PID 1228 wrote to memory of 992	1228	PHOTO-GOLAYA.exe	28
PID 1228 wrote to memory of 992	1228	PHOTO-GOLAYA.exe	28
PID 1228 wrote to memory of 992	1228	PHOTO-GOLAYA.exe	28
PID 992 wrote to memory of 472	992	cmd.exe	29
PID 992 wrote to memory of 472	992	cmd.exe	29
PID 992 wrote to memory of 472	992	cmd.exe	29
PID 992 wrote to memory of 472	992	cmd.exe	29
PID 1228 wrote to memory of 1040	1228	PHOTO-GOLAYA.exe	30
PID 1228 wrote to memory of 1040	1228	PHOTO-GOLAYA.exe	30
PID 1228 wrote to memory of 1040	1228	PHOTO-GOLAYA.exe	30
PID 1228 wrote to memory of 1040	1228	PHOTO-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs

Filesize
817B

MD5
5a5975f7d66e20d79e164362b4bc60c3

SHA1
f0ba5e0f9f3a799d5d4a170c823a6d4db6f20b2c

SHA256
04b882e0b296560dd42cda7d6a6f4bb1d6df50cb5afcb676e1122f8a3b13eba5

SHA512
e28aadf9d22922645b6a2ffaca1f0902958a6d17b00b932c8d846d8dc44814e2a7abafe9a97faf67b116c6318f3d350dffe6cbdb370473129abbad368083de66

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs

Filesize
406B

MD5
2e47c1ca4f794324079858ec721f3483

SHA1
ed79387dcf17731ed77943a39eb5571c395edea1

SHA256
67dff8660edecac42d34525c27ba7b8f1749ccc8f0ab950be58827f9b20bd6d2

SHA512
9630227e71dc218950501556523a4922e50915c7745d88f25e47de198571a464847f1201f793fbd0bea1979e85704dcc50c68e207f979ce39279b6d62d95321f

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\readme.txt

Filesize
57B

MD5
bca1897073db94526d96e5911ba65a6e

SHA1
77e8717731dabe9b7308d96458e4927bdb113564

SHA256
d91952cea951b7f2df935e6ec02d8e8b567a2bbaba0958f078f12088d456189c

SHA512
e847870a7b571af74cb0f29f11872c5372a30e262012a544855fc5e1564c6424c8f0f585b259c2d9017b8829d34f4946a0a093846d2c21275ec50136e9bd9a08

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\tutunas.nistyak

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat

Filesize
3KB

MD5
ad9a52ad18bf9e300396f58cdc6aed1f

SHA1
26af8d833a428bf63d3c869b8807002fe5e29247

SHA256
7b83702814eb258c934516bd4d375f41acde004cb3902e9da7f6fd0d88588701

SHA512
6c9dd5e44934d9ceacd4ce2f98186a41088b3a71647895f6a727e815a858b259c05a5bdf6aa9d513adfcaaddf85794a3d586b22789a9f02abef6da754ef61835

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit
memory/472-60-0x0000000000000000-mapping.dmp

Download
memory/992-55-0x0000000000000000-mapping.dmp

Download
memory/1040-61-0x0000000000000000-mapping.dmp

Download
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing