84dfb6ad0685f7f848809234fe60ccc24be0b52a5fd16435fe1c51f347e283a7

General

Target

PHOTO-DEVOCHKA.exe
Size

151KB
MD5

671de3f3bbe598bd82e71b7a6eb5dea1
SHA1

eec94475956b4780a2e8442c421dde864a53f808
SHA256

f59766c94a34985d9005e28371a376ad6da603bcd671009a723981732226da6e
SHA512

f8532f3a3b6d1178ea9a0ccbb5fe34ee59e24287c47eb4e178ec01b4dcbe413e1f9ed50276520f972f60b1d28426eac449d7e5f48bab3014419842434314879b
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi4lLlgKgssPVJ/eu:AbXE9OiTGfhEClq9ypriFeu

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	976	WScript.exe
6	976	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\serdce_bolit.ico	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\Uninstall.exe	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\na_dva\vesna_nebo_i\Uninstall.ini	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\serdtse_toskuet.iop	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\nebo_i.utro	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\tut_booovshe.poher	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1204	2036	PHOTO-DEVOCHKA.exe	26
PID 2036 wrote to memory of 1204	2036	PHOTO-DEVOCHKA.exe	26
PID 2036 wrote to memory of 1204	2036	PHOTO-DEVOCHKA.exe	26
PID 2036 wrote to memory of 1204	2036	PHOTO-DEVOCHKA.exe	26
PID 1204 wrote to memory of 976	1204	cmd.exe	28
PID 1204 wrote to memory of 976	1204	cmd.exe	28
PID 1204 wrote to memory of 976	1204	cmd.exe	28
PID 1204 wrote to memory of 976	1204	cmd.exe	28
PID 2036 wrote to memory of 784	2036	PHOTO-DEVOCHKA.exe	29
PID 2036 wrote to memory of 784	2036	PHOTO-DEVOCHKA.exe	29
PID 2036 wrote to memory of 784	2036	PHOTO-DEVOCHKA.exe	29
PID 2036 wrote to memory of 784	2036	PHOTO-DEVOCHKA.exe	29

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na_dva\vesna_nebo_i\nebo_i.utro

Filesize
45B

MD5
06ea6be681b324ff81cc8c6478a8aff8

SHA1
692f7ce7b3b81b976e5bb37d9c2753bf4d45a68e

SHA256
eace7d85d068682b830bf70852004c1387f8989969b5ddd78fee89b6ae9dc222

SHA512
9702c617a232a07ec2ddc3fa882bfcebc8427b3b4194702fbddd90a3c9d92f8461617421872a48fd44fa4380e6631090ea5a9e64ee0d8fbd485d53ac0712f96d

Download Submit
C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs

Filesize
880B

MD5
495d525cc5689b9e52594a53cc9ed45c

SHA1
8086c2e25cde7f371f4ba54fa4906d0b1fc8e10e

SHA256
ac320ba09590759f480c19e8197e3901b78bbcc910a46f869beae67c64942ea3

SHA512
86f38652ffcf2f1d3048b2ff74888acf67fdd8a11ce7ab3083a5e05b96cd0a06cb7043f199befefd4c9e3c437d82571722178a7516c84cd4f7da621fe74e02c8

Download Submit
C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat

Filesize
3KB

MD5
73f3dc597b6dcf51f88c83997b78ba74

SHA1
30cf5f4db72ba6524e7d48eaa1512e50c85edd16

SHA256
7143cdee027d2c463ad7dc83eea1feb8b5635f830911777507f03a881eccc01e

SHA512
d2869c483db6eb1b43f771f84bef1757d54888e5e601ff4857df8c6ee52a137efa83f822f0d73456dee05b057a55ca6355b494c868964b8cebba9992d65004d5

Download Submit
C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs

Filesize
387B

MD5
7451c9a2cc9ebe4204db926127027f27

SHA1
695e61cfdf8ff6914ff52688062edc0c3befaa46

SHA256
28a0018651085d0fb8c8ce4cdf70eb605a3a44c122a3bcbdec1317dc23f739d3

SHA512
fae1b3a9f8df4b8d8f831cc36b8dd2f94ea07453cf34eb7a65441e09f6af481c3e096333e927224a8c44e4e02da442bcb15d9bceee1b343c3ba273332b5735f7

Download Submit
C:\Program Files (x86)\na_dva\vesna_nebo_i\serdtse_toskuet.iop

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6ab0366c27f08185c0d4375c02596855

SHA1
f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

SHA256
489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

SHA512
3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

Download Submit
memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing