e4647c785b93725187f48397253cae9b41c9db81ee066f7799b1d51afca6838e

General

Target

PHOTO-DEVOCHKA.exe
Size

237KB
MD5

eb1cdf3bad0448d18b4f6da3be5bc4e5
SHA1

fe3066247cc047ec212fbeebe98a356e54e0e482
SHA256

5f981881ae277155751b5b657b71760b44f3c5757d5bbd32913445a28ed579cc
SHA512

a939d9d7a47a927a104c29d09be6b7371dddc63b16586e103b17f7a0488b989f3dd117ab5e8851ca2bff40f4fc1b22321fbf9bea73381d7211a29d43996ad591
SSDEEP

3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0h5Y2AGeSU+Cgw5CKHS:JbXE9OiTGfhEClq9AY2AGeoJJUS

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
30	2840	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	PHOTO-DEVOCHKA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\1.txt	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\Uninstall.exe	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\Uninstall.ini	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs	cmd.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\1.txt	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\Uninstall.exe	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	PHOTO-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4940	3664	PHOTO-DEVOCHKA.exe	85
PID 3664 wrote to memory of 4940	3664	PHOTO-DEVOCHKA.exe	85
PID 3664 wrote to memory of 4940	3664	PHOTO-DEVOCHKA.exe	85
PID 4940 wrote to memory of 2840	4940	cmd.exe	87
PID 4940 wrote to memory of 2840	4940	cmd.exe	87
PID 4940 wrote to memory of 2840	4940	cmd.exe	87
PID 3664 wrote to memory of 4040	3664	PHOTO-DEVOCHKA.exe	88
PID 3664 wrote to memory of 4040	3664	PHOTO-DEVOCHKA.exe	88
PID 3664 wrote to memory of 4040	3664	PHOTO-DEVOCHKA.exe	88

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\poddddkod_dap\novay\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs

Filesize
597B

MD5
e17125705926c32f6ce1059053f707a1

SHA1
acd0d32e742bc388ab0a9a862c006986471a4db9

SHA256
a5c2ce12deadb8a51cb16511482d44c53fef6c9149e4616733c68a8b292ed506

SHA512
a3618a76e0c721ca9421b6193a15f779b84689add6c6dd52a488950c9358c406eafc3bfa1e64d7d407716ecb33464fcb1addbd6fe9792da2179ded9cb4f0e599

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp

Filesize
65B

MD5
7cb8698f0d38b859c2162d8d4012e91e

SHA1
0936d45df25ae05a6a47404ebfa04f10758b158f

SHA256
b9f7186bbcb607a8f0870abc34c4900ed94e94593dba0b4446dd65b516d21545

SHA512
5e14a31aeedf67a4cb95ec88d5f79498e4e101a9ca7f1a032c762a674214f20c98fd9427471a5541464efd2a53618257ceea2426ac7a6a0f76c728d3597f805b

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat

Filesize
1KB

MD5
fd980a2ba1a5b356ee9da1ae18d57372

SHA1
f4a95e59a2dc7f91d01ced859166c6f534ef4366

SHA256
14997d59347750fb21794d18817abb987911b4336e796528b174ba345150d054

SHA512
a21412902b9273c574f64eacae1d7d8171dc9533ce1f2dd23eef521c87eb418ccc9d11222b3dd26e6f6ced298ce97e412b439d254536691d4dec1b95236af5f9

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui

Filesize
261B

MD5
2220c2ba3ab6dd671cfbc80fb66e8989

SHA1
c2698ec660cff13e102676af7e8426a44b68efe7

SHA256
4ff356480adae2f8e3e8e1ab665c2fb0b23c6c964d20c65edfb220ceb984f31e

SHA512
4b660fe9082965eaa0a2e5150cf9e6fca8bbd356af9d4cb09deda878a513f2074161e7b0f36a469a8293b985794f4c21afaff196ac4c80b83911b65c801a100c

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs

Filesize
261B

MD5
2220c2ba3ab6dd671cfbc80fb66e8989

SHA1
c2698ec660cff13e102676af7e8426a44b68efe7

SHA256
4ff356480adae2f8e3e8e1ab665c2fb0b23c6c964d20c65edfb220ceb984f31e

SHA512
4b660fe9082965eaa0a2e5150cf9e6fca8bbd356af9d4cb09deda878a513f2074161e7b0f36a469a8293b985794f4c21afaff196ac4c80b83911b65c801a100c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
776b152fc7b16cdb6f03b535016b30d7

SHA1
535c5c292c16acda59325c59c1327dfe39499334

SHA256
802d784cf685137a021b5a2c86d32e755ddde8212de5d320f1c4cd97feff735b

SHA512
fbcd9e8283b69170bdee143111a26e22778bf792b5bb0e00db524b087008b23a2fdca3c772b3cb1631914772e91699cffe7a45023e717c204f30e99f67759090

Download Submit
memory/2840-136-0x0000000000000000-mapping.dmp

Download
memory/4040-138-0x0000000000000000-mapping.dmp

Download
memory/4940-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing