Overview

overview

8

Static

static

PHOTO-DEVOCHKA.exe

windows7-x64

8

PHOTO-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    57s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 22:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    150KB

  • MD5

    9fcb47ec7908b46b029001a8f34a7b71

  • SHA1

    a7c56e81bbea0611d6207aceb9f9a9278cdbb1fa

  • SHA256

    11230d56b431972ce4366660080af1cefc2443073ad089797ffa1d6e0ce6be80

  • SHA512

    88e93b71e286808593b45cfe937d63cdff6b34cdd89d24bc6e09e0ac8428f4645d627db79e4f8d134b44450e6cae9a38ee5db5f239519692fb637e2a416d4b38

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hirzE2/gIfr:AbXE9OiTGfhEClq9dbgIz

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1560
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1532

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs
          Filesize

          761B

          MD5

          7776c38948acf9a6b1c668474775876d

          SHA1

          19e98e4f8370710ea7cd9d78a24dfdf5520b5646

          SHA256

          b902451988810182f7b1ac039e31bd3aadcd2b7db46b9b0e267334b5467aa694

          SHA512

          988f51c9621a3cb33f79324aed1903901953160793705b502afb6d1ec7fabfc2042f10079db5d8b9402275f6f6f68726b6ced0f0926dbec6323de738362869c8

          Download Submit

        • C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs
          Filesize

          331B

          MD5

          960d1d82bd6cf054b47b0b67860d1394

          SHA1

          576620bd91a89aa882df6b4bb69dbb41dcb3d955

          SHA256

          f5bb3d727d2cd634792c504278a2158f90fa7f6c5bc5db2535953a1d9b19adbf

          SHA512

          77bb617484364122c15018e5bff0680df96090977d858862953e4c31fb230a73fc9a6676022729c1b7ff4f124c4b260b3f91de441b52f75107a780f86e2719f6

          Download Submit

        • C:\Program Files (x86)\dus_dezodorant\mouyus\readme.txt
          Filesize

          52B

          MD5

          48cf999da2a53de86caa4e680b24f92a

          SHA1

          9975b138c57c63f20de4fdde7be9bfb3a960b85f

          SHA256

          8870371641eff7efa2cce7decff87e1286ba71f60ad26cb1c56d2c9f5c4e0d90

          SHA512

          3927cfcc79fa1435efadea5d46226f6f8f398a5bf32aef36b2fd1f17f87c4ba838d3c26171f87366e08db0ee43d875d3bb4c84886bbcc77041df4faee1b13efe

          Download Submit

        • C:\Program Files (x86)\dus_dezodorant\mouyus\tutunas.nistyak
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat
          Filesize

          3KB

          MD5

          4811f08669694f8a55cd57ae61d2cb20

          SHA1

          67a106509cf9e3423c8944c62e7e92acfcb3a217

          SHA256

          e4b89d3e94646cb3ce7bd4fdeede5444d36551b2b902608b00671b8d2d94ab57

          SHA512

          7fad3b245bb32bf83af4d4ba3fc2106702fbcd6013eee9135d0f3bbb990a96cdb50e59443c3771b6727dbf454e0020c5cdea78b74b4b8acbdc45ba7c8daf6304

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          0021c993f6e270022b22a1f77f6797c1

          SHA1

          8f0081a7735307c166ec3a995716dd5306723410

          SHA256

          47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

          SHA512

          d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

          Download Submit

        • memory/1112-54-0x0000000076031000-0x0000000076033000-memory.dmp

          Filesize

          8KB

          Download