2fc2298cdf63f60af0caff24340b417aced238fea9b362a6c166fc1f2a8a2429

General

Target

RUSSKAYA-GOLAYA.exe
Size

149KB
MD5

86963b99db7a9d6660798be28b910d61
SHA1

99c2e0024d8bf88f592b445d7f33fa82d19a27e1
SHA256

4d290ca6bfc7bf253d6c7e40aa8e72f664bc461953e07a0e6461e2f460d0f8ec
SHA512

ea5d866e2a0372dd5376a0e45cafe2906b1206c59b86339c9588a1c98b734ec2fcd331e9614b99857fce5f7626614dfac422ed3ba49a57082e52361b2fc33555
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hir1X1sVys8qMi6nHL2:AbXE9OiTGfhEClq9dd1I8qSn6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1744	WScript.exe
4	1744	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\lit.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\bautmyside.txt	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\inown\aboutmyside\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\infocars.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1912	900	RUSSKAYA-GOLAYA.exe	27
PID 900 wrote to memory of 1912	900	RUSSKAYA-GOLAYA.exe	27
PID 900 wrote to memory of 1912	900	RUSSKAYA-GOLAYA.exe	27
PID 900 wrote to memory of 1912	900	RUSSKAYA-GOLAYA.exe	27
PID 1912 wrote to memory of 1744	1912	cmd.exe	29
PID 1912 wrote to memory of 1744	1912	cmd.exe	29
PID 1912 wrote to memory of 1744	1912	cmd.exe	29
PID 1912 wrote to memory of 1744	1912	cmd.exe	29
PID 900 wrote to memory of 1876	900	RUSSKAYA-GOLAYA.exe	30
PID 900 wrote to memory of 1876	900	RUSSKAYA-GOLAYA.exe	30
PID 900 wrote to memory of 1876	900	RUSSKAYA-GOLAYA.exe	30
PID 900 wrote to memory of 1876	900	RUSSKAYA-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\infocars.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs

Filesize
796B

MD5
94bebe4d23ad981994a078f69c4cb172

SHA1
c925bd18ccc8cb15efd4b4e8236711e1655ed937

SHA256
791c0b84812815dcd580d3597c4101838518a8a27f664fbc51e000bd1a7fab00

SHA512
499c078b0074598ceceb57d87d464b461a53cf1c32a6caeb01ab26c1c91f25cd010c8cbef7002ec525032145e2d319243c6f485e608cb69ace381997e07f0def

Download Submit
C:\Program Files (x86)\inown\aboutmyside\infocars.vbs

Filesize
334B

MD5
4dac2c8699edc17fbb7036ca3ec636b6

SHA1
e8a316283f5ad515a4163395442556aa41c929c7

SHA256
6e0b74f4db571a5acb966ee1dd836c61b723a59ccc31aeff28e678068b43fbdf

SHA512
4f0dc350e1e465ec609ff44e3618a57e16af6f7221072965afd70c00fe778831b869677cfc321c3bcd411885946ed486b88b5efca68729ad6bb0e0ba32932a10

Download Submit
C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life

Filesize
50B

MD5
2fbbd6510fe26068e7e81bbc7c185025

SHA1
804798609e017cf1aa1cdf39cc823f2758728301

SHA256
60cd1ca9ed0335145319ed37d63337ae5de58788e6eccf73e6f91d370f9d6240

SHA512
6e006158333d5f5b8f5ba46b921b52399866256a50fe14f340c5b44ee44f7bef096ca38f3afe3717272d5b731e041e4f656ad98c1c46ad26cdbed5d6c524b325

Download Submit
C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat

Filesize
3KB

MD5
ebd31ee99794ccbe7c3b915688758e84

SHA1
4df1ee78abf06155806771fc0a1aeeca6f62772e

SHA256
e79babef2174d2a472455a0848850d4aa759bb9870633f3a5a97e753087b3d0f

SHA512
576a6f570b8f023d113324dfc504e1d043ab108717024bbfe0f37476a6561df320007b0209c3af70d7c9654dd80e6861a1d896d019bb7b6f2977c7ee92008a94

Download Submit
C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit
memory/900-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing