5041d46dffe2971fc9377a75559258d7d964ea6237c08f836ac19b22a9f88195

General

Target

PHOTO-GOLAYA.exe
Size

151KB
MD5

355645a5b17f05e83ec34aa3c92cf1c7
SHA1

86be5fc81cbf6608cf7c0562aab214b502bea423
SHA256

9b8bbfcbfe7fbe04408a11bb671dad69906cd95a2a89a94c3d2acaa62823a15c
SHA512

c184a409860a7acf1d35053ac14bab142adb465312196c7f47e40f3c86c3db167ee6d899b2b1626fd7af38abedf5361531e9c4f11e59a4dd0ceb137cfe0e623b
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiwgaHTeflTeJuH9nT:AbXE9OiTGfhEClq9agaza0oT

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	2368	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\Uninstall.ini	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\tom_ebet_vseh_bab.ololo	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\solnisko_moe_vstavai_laskovi_i_takoi_krasivi.lol	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\Uninstall.exe	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2044	4608	PHOTO-GOLAYA.exe	81
PID 4608 wrote to memory of 2044	4608	PHOTO-GOLAYA.exe	81
PID 4608 wrote to memory of 2044	4608	PHOTO-GOLAYA.exe	81
PID 2044 wrote to memory of 2368	2044	cmd.exe	83
PID 2044 wrote to memory of 2368	2044	cmd.exe	83
PID 2044 wrote to memory of 2368	2044	cmd.exe	83
PID 4608 wrote to memory of 5012	4608	PHOTO-GOLAYA.exe	84
PID 4608 wrote to memory of 5012	4608	PHOTO-GOLAYA.exe	84
PID 4608 wrote to memory of 5012	4608	PHOTO-GOLAYA.exe	84

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs

Filesize
962B

MD5
3e98f611d381e822813d5682a600e01e

SHA1
ed6af2bba9c5a7ffcd077d88348ba2cbbe275ac7

SHA256
510ca81d772cd8812a4967ea5a4936f8366a122d52f1356127d3e9ba25621833

SHA512
7e98aff84e6440132dd55204f2ad78654db79e0d3a603e1e4b972bd61123079e9b52d9ddca7c0e7eee5b5a2ea1c8ffd5a71245fbf6bd7eda99b0da3c6f168367

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei

Filesize
54B

MD5
cfe46dd6eb4dfd778e6b52683fc50c83

SHA1
78808114a0ccd19c7d6541d44bc3ce97f718fe5f

SHA256
b8ce33995d95ccf673f4f13ab56f039f72ef52fb2390ccfb8f44ced271e30ea4

SHA512
c4f7fbb8c4400a9a19a6af88166908a178e3ae706476898fb23c45a1caf8fe2756ef00c88fac512319f35a6e17f5cc0fe52ebbc40de95ed306def708ea83ad94

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat

Filesize
3KB

MD5
6849bb00d68513faa1c031aa5cad45e3

SHA1
71b115f7a3d118d6abe4ff5e569b62bdec96709d

SHA256
c7c0a6ebec5addb58ab640a44f4758e4f63e7ff0401a5b910984c756a7fbd42f

SHA512
942d1a0f820c04195ddbe1350bec60ce61afeafe85cca6489777244620da159342127770b7c895360ae19552608e4ef1b718e214d428d9df849264c8b816ef1f

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs

Filesize
315B

MD5
e96bd8fa99b9274d2c7423bd9f55c666

SHA1
5c6d3be41482cbbdac4a9f87c9af804b9ebb3f5d

SHA256
fc02ef8a8a170680e0cd488decbd8d85b168dd0ace817dd6119b178da92b2142

SHA512
4ff0462ceaba86aca135f5cd05870610aa51abc6e8a5b8d089b1bd813dcea77d1fc0d77ab292cfffa12cafffce785b80b4546cb8fc425e07ba6ce575af80713e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
22cf8376bd7251da68d1ac0c6231e294

SHA1
d8388e49907f5a80b2be219665a7fe2607204bc4

SHA256
18bf7cfa28c572d4c2be927596d30c4e9c82e0a695963c1f7209eb5c6b119592

SHA512
541c1589234965c5a64e6ed7fdb332b5a065cc1e2d555928a51aec14aaf57793844fc63724a1878bd1abba8bb641d6879a5311454616cdbf7509e85dcd52e446

Download Submit

Analysis

Sharing