b43baef39458b218c6d27d42c2cbe2ace7c292645f80d62df37574c3a310a435

General

Target

PHOTO-GOLAYA.exe
Size

151KB
MD5

809930b13ab2931e2f202d4ea80b00a4
SHA1

2335da6fb96c9a4e6c43588f5a5d1015919c3d2c
SHA256

06244859c7a207d794500b547d2d0783dc578f932c730c98a7c7102ed7704dd5
SHA512

32ee15b2c48b84b443713227451a1c7e46d1f617aa8d5bb4288c8fbc1782f3ec42fc8bb73759252d27f1af74b2d2e6f59b19e0c1c0f86b7b255f56147dd81db0
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiToRmIdzZl57chknn7sJ9jpj:AbXE9OiTGfhEClq9achkn7wR

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	992	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\come.vbs	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\what_you_say\be_youself\Uninstall.ini	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\seduksenchuk.ico	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\tooo_my_blooood.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\come_to_my_window.aga	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\alone_ndklokajos.olpo	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\Uninstall.exe	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\eto_trava_detka.ggg	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\zapuskalka.bat	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	PHOTO-GOLAYA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2740	2160	PHOTO-GOLAYA.exe	82
PID 2160 wrote to memory of 2740	2160	PHOTO-GOLAYA.exe	82
PID 2160 wrote to memory of 2740	2160	PHOTO-GOLAYA.exe	82
PID 2740 wrote to memory of 992	2740	cmd.exe	84
PID 2740 wrote to memory of 992	2740	cmd.exe	84
PID 2740 wrote to memory of 992	2740	cmd.exe	84
PID 2160 wrote to memory of 3136	2160	PHOTO-GOLAYA.exe	85
PID 2160 wrote to memory of 3136	2160	PHOTO-GOLAYA.exe	85
PID 2160 wrote to memory of 3136	2160	PHOTO-GOLAYA.exe	85

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\what_you_say\be_youself\zapuskalka.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\what_you_say\be_youself\come.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\what_you_say\be_youself\tooo_my_blooood.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\what_you_say\be_youself\come.vbs

Filesize
471B

MD5
b85148ebf1e9cb15591419961b38aa8d

SHA1
294e3b53dc1664c628947a9a79a1b185a6f12eb5

SHA256
06fd6793d892737ae0b8e5cd6313b9eac39020abb5957c555744608215c463f8

SHA512
1c1059e4e4f198d336497cd0c08544db63521deb30353f3f2c091d75dad6de985165be7e39371b05a23933534f20e835f44d1f4d513efad0f2676e2068140bf2

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\come_to_my_window.aga

Filesize
55B

MD5
3b0966bb6b5cae875870581a72ffb31d

SHA1
2469296e1f7acc9dd899827dbb67e8a202e7d51b

SHA256
b0cbab3d35b496b5891bedb9ae00f9201c89bccdec6bb7418ee52439c6307a6e

SHA512
36acd8528ba63d8cd577acc4aeca2377ff202c54a118c741d6f99bed134bd2fb9bdafc794924602549c6fd67f0ff5037c2ce7ab994e23cdf7b88aaa0246ecbb5

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\eto_trava_detka.ggg

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\tooo_my_blooood.vbs

Filesize
912B

MD5
2882fca04e78d7e25472b791e413c55a

SHA1
73746a50b6de9f4d1d0a53532221e9d9c984713b

SHA256
fd87cc5dc48074bc60271de8858be84f64ccdf5446e159f8052b819d77cd692f

SHA512
bb1c00271bcf6cc65013e9f097eb7ebe24ed6a3abb9041b3a7e9ca529f9cc0c843fdcfeafeb43455ec2c9fecba9f02f1d4aef4e563a19ead84833fd7dcb06902

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\zapuskalka.bat

Filesize
3KB

MD5
d71487d555ed0d76126ad62c00668146

SHA1
c7d770f1d0eb473241686fafea1b8ef594fcb474

SHA256
f2c0e1ff5d3ebf97f61f8cddc91e243e794f4deaee05c540c20d08d2998b6bbc

SHA512
7f74f96f762cf3b1b30884c5188773622b55fb74e22dd136b46fe3dd467dae2cfd83f9fd59295e0f8460c251909aaaf19d418f6f779f9aea3f37affc291b0393

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6ab0366c27f08185c0d4375c02596855

SHA1
f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

SHA256
489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

SHA512
3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

Download Submit

Analysis

Sharing