f4908dbdd0bdc4bcedf81e4bf1ee1c04dad34e3c321b5d197f27250f4362badf

General

Target

RUSSKAYA-GOLAYA.exe
Size

150KB
MD5

545874cf7d80393aede1205d65071c96
SHA1

7d0a43a6b48f5c6f8f19670ba5d7002e3d9579f4
SHA256

b7f536b8797f5abc1f03efaad3f920e45f5cbdb99b6896cd30cdd597425bfc23
SHA512

a828467270b8528ba8c91ea20a76e78c08140a800aa90652f66c5787c210195eb4b70c01a13f6a081f955e8ada1cd934a29b451c4dae7a027e90f8fb8ff44e92
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiewi7Pgd7Xw:AbXE9OiTGfhEClq9APU7g

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	60	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RUSSKAYA-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\domashku\zry\gggg.ico	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\domashku\zry\novaya_h.uita	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\domashku\zry\ya_ne_lublu_ne_nitie_be_bluz.fff	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\domashku\zry\ovos.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\domashku\zry\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\domashku\zry\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\domashku\zry\alena_lubit.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\domashku\zry\kak_stik.stoit	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\domashku\zry\ogorodiki.vbs	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	RUSSKAYA-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1884	4936	RUSSKAYA-GOLAYA.exe	81
PID 4936 wrote to memory of 1884	4936	RUSSKAYA-GOLAYA.exe	81
PID 4936 wrote to memory of 1884	4936	RUSSKAYA-GOLAYA.exe	81
PID 1884 wrote to memory of 60	1884	cmd.exe	83
PID 1884 wrote to memory of 60	1884	cmd.exe	83
PID 1884 wrote to memory of 60	1884	cmd.exe	83
PID 4936 wrote to memory of 5104	4936	RUSSKAYA-GOLAYA.exe	84
PID 4936 wrote to memory of 5104	4936	RUSSKAYA-GOLAYA.exe	84
PID 4936 wrote to memory of 5104	4936	RUSSKAYA-GOLAYA.exe	84

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\domashku\zry\alena_lubit.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\domashku\zry\ovos.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:60
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\domashku\zry\ogorodiki.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\domashku\zry\alena_lubit.bat

Filesize
3KB

MD5
48b4eab9691f585cb1a0297e5529d618

SHA1
d3e54674fe5a7e15fec49d3e2a819c69988187c8

SHA256
5207e8b6c618e721c7337d8ff44ac2f2f1e6def3724ea195a0cd13451e108440

SHA512
9cc3e053779850f4211b1a1aa36f576723726f941701c7d5813fad7697ec039a1b59e707a9b63efa3e45518e462d9b84eb1d3af7a3ce2455bdaa8867e5f12c2c

Download Submit
C:\Program Files (x86)\domashku\zry\kak_stik.stoit

Filesize
47B

MD5
8c624a56daad221d8c4eaec9c1af7aba

SHA1
5d02e2713082b76522afcb45f68b7e75baf5931c

SHA256
8721728e31608e93c53b5d7409be7727bdc54ed350c343e5be05e7c364541a5e

SHA512
7bd62dc27f3fa22c64237a1bcbbb4a353ee80fa52a525547f55cf29c58d32700a077870b2f2397e9604a1a4c13cedc264cda4363cd7949c06db4d54d39c626f9

Download Submit
C:\Program Files (x86)\domashku\zry\novaya_h.uita

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\domashku\zry\ogorodiki.vbs

Filesize
876B

MD5
ec1e99ea6ec502dbd3d9a89af9f0c08f

SHA1
978bb2c65c4d5518c87da2c6d3f280322d6a6578

SHA256
ab92c815176e8468df88001c8d4f05c482d5a2adf8af573e7ed6d84186574783

SHA512
5ea342e3cfa70a370b13f75aef5dc7454abc570e8cdadae40c2187876882a8188cd80b181554f1be3c619126e6f17dbd499c95402df7a6572a8199bba06e736a

Download Submit
C:\Program Files (x86)\domashku\zry\ovos.vbs

Filesize
379B

MD5
4f7eda3f132b397fde59efb48448f016

SHA1
28911a35628b6f62719dafb07b1769e950dbe115

SHA256
1fc4fd30704dc460b071e9c0ad19964dbf595cfee60cefd229fd7cc6a0427c07

SHA512
c9232444f9bb9b7e89d6cf0e5b822b1735de970d94cf96830de001ce56edb8e28c8732511b8277791e2e7b59d14772dfcd74ec69757145254ab06d776b1acaa2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6ab0366c27f08185c0d4375c02596855

SHA1
f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

SHA256
489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

SHA512
3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

Download Submit

Analysis

Sharing