562b2c5b62141a7e1646db26724794cc36f7e8ea485475b3facba92c35f3165e

General

Target

RUSSKAYA-GOLAYA.exe
Size

186KB
MD5

80c64043c1255c20f0207bf9a925a088
SHA1

5975af4acc9fc810bc884694f768020ef8e2d9d3
SHA256

fda8ec2e54d0071d4d79ea14d2207a47bef32866347da1191f6fcc3e1a37f285
SHA512

13f29cae9211cb345d11d194eaf9041ee5003e89d0fc5f5aba73175c9317d380bfa7374aa2e54c1692e6e6f41020a8572d60466bae6c023d256bae5b8660ad7b
SSDEEP

3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0h3NxGqJy0x8yd6O:WbXE9OiTGfhEClq9V28ydV

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	1644	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RUSSKAYA-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\i chaya\telochka\nikloka.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\runer.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\valera.alera.valera	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\i chaya\telochka\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\surzik_masurzik.alo	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\nuzki.luzki	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\numerovat.naoborot.str	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 1580	4412	RUSSKAYA-GOLAYA.exe	83
PID 4412 wrote to memory of 1580	4412	RUSSKAYA-GOLAYA.exe	83
PID 4412 wrote to memory of 1580	4412	RUSSKAYA-GOLAYA.exe	83
PID 4412 wrote to memory of 4820	4412	RUSSKAYA-GOLAYA.exe	85
PID 4412 wrote to memory of 4820	4412	RUSSKAYA-GOLAYA.exe	85
PID 4412 wrote to memory of 4820	4412	RUSSKAYA-GOLAYA.exe	85
PID 4820 wrote to memory of 2272	4820	cmd.exe	87
PID 4820 wrote to memory of 2272	4820	cmd.exe	87
PID 4820 wrote to memory of 2272	4820	cmd.exe	87
PID 4820 wrote to memory of 1644	4820	cmd.exe	88
PID 4820 wrote to memory of 1644	4820	cmd.exe	88
PID 4820 wrote to memory of 1644	4820	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\i chaya\telochka\nikloka.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\i chaya\telochka\runer.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:2272
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\i chaya\telochka\nikloka.bat

Filesize
3KB

MD5
433098e9ef4f67f29a45b3244ec453d7

SHA1
3b96364303aa8f2afcab1a50a728de33eb8248d7

SHA256
69662e9d844bbbb8502276f91cdf4a45da6309ec707a78381ab77a92f5cd984e

SHA512
cac86e993fd53e6444d83b521d2d8d359772e3f6ec9cd2d9e988a842dbeae2260ca1ea55a1a137d7efd4451fdb2faec24504abf42b6d85e21e6a8c6784e28eb8

Download Submit
C:\Program Files (x86)\i chaya\telochka\numerovat.naoborot.str

Filesize
65B

MD5
4457e20aa2c0eef83fe4e54eebb64676

SHA1
cc4747476693ab2a510c7a35fd1cbc8980b7af3b

SHA256
a698f2439245fe23c705c7d0904594af21f2ce6edc99d5c4a816a7a677c212e4

SHA512
3a0f119b9c4d89246b5c1cb0e1274b8566013453afe150e1bad203dc1f8538413e94699e807d310e150f059e12d5f9927f6c12343a114fea39f27a8c7ff639c2

Download Submit
C:\Program Files (x86)\i chaya\telochka\nuzki.luzki

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\i chaya\telochka\runer.bat

Filesize
48B

MD5
67644582eca529f145537a3d89d3e2f5

SHA1
6fd664cf328f986fa431edc23d177a39022f586a

SHA256
6f2ef31364ba551708089b9173a866a89d52202b0cc421a6d8a47c69f7313bb6

SHA512
772ae12f391ebb581748c10f15deaa53c0109f4ade19e3325211e07c707e253a25d713b92059ab8f1d96380e0714d950b2e6acf19e97e4e2fd691728df4ad1bd

Download Submit
C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs

Filesize
970B

MD5
a1d4924796bb2ff531ad269eaf7ae4bf

SHA1
382ded3907b6f3526524c890d52a7ed20aaa4547

SHA256
d28398b41e08630d1390bf7d26911350fcb718a9e54e74e5ff210c88675911b9

SHA512
076d69d100184efbe88b9f580ea43cdd225ad8dcfb41031d08c0efa5d42a0587807adb4181e502be79cfa0eae734a60ff977befb94e342bd4bab6e215560c36b

Download Submit
C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs

Filesize
252B

MD5
35ca2cbbbad7d9262e07512efdca7ea2

SHA1
07698da5d6b0966cd76e533ade71de711bfa1769

SHA256
94ed565acddb10e646dd7565fa5779564be88f1ce87b2b58bfcd4cb8d2a2c0f5

SHA512
184e54efba52745057ed3bb834e74a2c580ef83979d54660808d7a801084183e5b63acfb9bb17e832e8dc4da37d1597630c23071d0105087503df26e79ae3d2c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b6124357d6155b9efa66d4d2daf49b1d

SHA1
b3e3c9681f4114a850e903030ae95740810689d4

SHA256
03d8edabf6d1e71e902f60242333930d875e102d4df2f69014333c99cc401d61

SHA512
1ee218b402f8a18d6d9124dafdf091e4cc3ddb216128567b78219e5f64cc9623587fdd770771434e10ed3e325f5c0c456c669d888fbcbf56f84a2a3d4152694d

Download Submit
memory/1580-132-0x0000000000000000-mapping.dmp

Download
memory/1644-140-0x0000000000000000-mapping.dmp

Download
memory/2272-138-0x0000000000000000-mapping.dmp

Download
memory/4820-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing