Overview

overview

8

Static

static

PHOTO-DEVOCHKA.exe

windows7-x64

8

PHOTO-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    158s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    151KB

  • MD5

    da55bc0842b0b3a01fa050d40b3e660e

  • SHA1

    80a477716badf385400c7352de12d839d26875f3

  • SHA256

    830c4252ab03327fc0edd99999013c1fa3aa2c634c0e059cafcd392f71e88d30

  • SHA512

    c361bb7bafae77f4b220d429af19d7416709876c1d9285bce6a9be7d381c1a44c6685ee373812a8c8c9fb908d2ed8767b3b21ccb7d8b1ac6b1f84b5bd9a0deb8

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hicVgSPWo/Jv:AbXE9OiTGfhEClq9rLAv

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\tochno_lukavish\oi_lukavish\shipilovSan.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tochno_lukavish\oi_lukavish\prisel_na_travu.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4944
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tochno_lukavish\oi_lukavish\still_loving_youuuu.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:5068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\tochno_lukavish\oi_lukavish\memouries.hid
    Filesize

    40B

    MD5

    ba522ae27275a2f6ed2ab77849178d8f

    SHA1

    9b616c9d7493dc6b13a0242cc651cafe381922d3

    SHA256

    72f5a2cf2062f481901059cfaec4de31a72ac959668faafdb1312e88038e2939

    SHA512

    232ea039ca6dcae1d856d5d3a2b96e60a3d61380ca141da68981f74344756e2ced4ef7bbd7e51d78d628148105543d3edafab0789a6412affa537dca637a6829

    Download Submit

  • C:\Program Files (x86)\tochno_lukavish\oi_lukavish\prisel_na_travu.vbs
    Filesize

    256B

    MD5

    4ccdf27c42375cf6829e7ac9eac0fc91

    SHA1

    58f9d273b2a6d54b452849ebda416d7bf1f87189

    SHA256

    3be79a701f9eb3a07991af1ac4d4dd0bb33a0649158a5ba10f41e53586dbfbc8

    SHA512

    67c4d326baa9cf5b169cbd45f55b5a67b31bdf8de1bb604555f1e24376b6321839e6effacee740664e729124b4edf50c7666f68c5d039b3f01cc59caec305ad4

    Download Submit

  • C:\Program Files (x86)\tochno_lukavish\oi_lukavish\shipilovSan.bat
    Filesize

    3KB

    MD5

    204293d4c85c2f5ed37416dd6f8ab26b

    SHA1

    5d7cc2699b1310ee6b5b88f05b51244f7df421f2

    SHA256

    64a8d777fde3e70771518ae8f77723a5540651ec2d1a1d75a85fe8c51805295e

    SHA512

    a0e8af635a66d433f2c7f22cb712d1473d35734e39a626f9ad599b2aa10af71985e938d3f3a0aa7567e69dd6a8468c2076099910c1eb2ccc0e17a3e5b009dfcf

    Download Submit

  • C:\Program Files (x86)\tochno_lukavish\oi_lukavish\spolna_nam.nav
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\tochno_lukavish\oi_lukavish\still_loving_youuuu.vbs
    Filesize

    978B

    MD5

    4b298f73b765be0b93732a53d7136dc9

    SHA1

    ed60901060d39e468977847fc4bfc391da357328

    SHA256

    98fd8a1eeb075e1513ebf72bec8b1a67ee7a13e43fba72f1d9207be66a8c2f08

    SHA512

    2448b1a49fe920163630e589f83a3acd3fc6df7c4070dd92ea014f435db2ffe7f6b742ddbbe8d69266e611bcc1681766091d2f26c7d46eda6375758de0bd3247

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    6ab0366c27f08185c0d4375c02596855

    SHA1

    f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

    SHA256

    489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

    SHA512

    3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

    Download Submit

  • memory/1292-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4944-136-0x0000000000000000-mapping.dmp

    Download

  • memory/5068-137-0x0000000000000000-mapping.dmp

    Download