Overview

overview

8

Static

static

PHOTO-DEVOCHKA.exe

windows7-x64

8

PHOTO-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    155s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 17:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    151KB

  • MD5

    671de3f3bbe598bd82e71b7a6eb5dea1

  • SHA1

    eec94475956b4780a2e8442c421dde864a53f808

  • SHA256

    f59766c94a34985d9005e28371a376ad6da603bcd671009a723981732226da6e

  • SHA512

    f8532f3a3b6d1178ea9a0ccbb5fe34ee59e24287c47eb4e178ec01b4dcbe413e1f9ed50276520f972f60b1d28426eac449d7e5f48bab3014419842434314879b

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi4lLlgKgssPVJ/eu:AbXE9OiTGfhEClq9ypriFeu

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1056
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4192

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\na_dva\vesna_nebo_i\nebo_i.utro
          Filesize

          45B

          MD5

          06ea6be681b324ff81cc8c6478a8aff8

          SHA1

          692f7ce7b3b81b976e5bb37d9c2753bf4d45a68e

          SHA256

          eace7d85d068682b830bf70852004c1387f8989969b5ddd78fee89b6ae9dc222

          SHA512

          9702c617a232a07ec2ddc3fa882bfcebc8427b3b4194702fbddd90a3c9d92f8461617421872a48fd44fa4380e6631090ea5a9e64ee0d8fbd485d53ac0712f96d

          Download Submit

        • C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs
          Filesize

          880B

          MD5

          495d525cc5689b9e52594a53cc9ed45c

          SHA1

          8086c2e25cde7f371f4ba54fa4906d0b1fc8e10e

          SHA256

          ac320ba09590759f480c19e8197e3901b78bbcc910a46f869beae67c64942ea3

          SHA512

          86f38652ffcf2f1d3048b2ff74888acf67fdd8a11ce7ab3083a5e05b96cd0a06cb7043f199befefd4c9e3c437d82571722178a7516c84cd4f7da621fe74e02c8

          Download Submit

        • C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat
          Filesize

          3KB

          MD5

          73f3dc597b6dcf51f88c83997b78ba74

          SHA1

          30cf5f4db72ba6524e7d48eaa1512e50c85edd16

          SHA256

          7143cdee027d2c463ad7dc83eea1feb8b5635f830911777507f03a881eccc01e

          SHA512

          d2869c483db6eb1b43f771f84bef1757d54888e5e601ff4857df8c6ee52a137efa83f822f0d73456dee05b057a55ca6355b494c868964b8cebba9992d65004d5

          Download Submit

        • C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs
          Filesize

          387B

          MD5

          7451c9a2cc9ebe4204db926127027f27

          SHA1

          695e61cfdf8ff6914ff52688062edc0c3befaa46

          SHA256

          28a0018651085d0fb8c8ce4cdf70eb605a3a44c122a3bcbdec1317dc23f739d3

          SHA512

          fae1b3a9f8df4b8d8f831cc36b8dd2f94ea07453cf34eb7a65441e09f6af481c3e096333e927224a8c44e4e02da442bcb15d9bceee1b343c3ba273332b5735f7

          Download Submit

        • C:\Program Files (x86)\na_dva\vesna_nebo_i\serdtse_toskuet.iop
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          6ab0366c27f08185c0d4375c02596855

          SHA1

          f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

          SHA256

          489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

          SHA512

          3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

          Download Submit