f2b833d9f7602f7df489254167e309134d31d622b9fd0733a4b3434e06bba6fb

General

Target

RUSSKAYA-GOLAYA.exe
Size

237KB
MD5

6b665297d9bf4911bc1e79deb80b4059
SHA1

ab02d18112085462343cae6359c6504a28d41932
SHA256

39be344cff519bd5063bc8941c6e76a9d9801e9397a4d3d1001b131eddbf7a00
SHA512

6c10df06f29d8de9fd69c4002693c807dc93a68b8002372ad21bb07068a56e182f68df947d6384340a031afd85dd9dde4ee74b2372f601d79b1c9138d67645db
SSDEEP

3072:tBAp5XhKpN4eOyVTGfhEClj8jTk+0hGrGivgXrC2S7yfH84zsEn/iOjt7hM8Wjz7:obXE9OiTGfhEClq9bweKRZLWJJUC

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2008	WScript.exe
4	2008	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\polodpkolo\slonop\jolemansday.day	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\industrialgasturbines.and	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\polodpkolo\slonop\jolemansday.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\polodpkolo\slonop\1.txt	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\slonopotamus.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\polodpkolo\slonop\slonopotamus.bat	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\hreansdva.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\polodpkolo\slonop\hreansdva.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\polodpkolo\slonop\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\1.txt	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\jolemansday.day	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\polodpkolo\slonop\jolemansday.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\polodpkolo\slonop\industrialgasturbines.and	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1152	1096	RUSSKAYA-GOLAYA.exe	27
PID 1096 wrote to memory of 1152	1096	RUSSKAYA-GOLAYA.exe	27
PID 1096 wrote to memory of 1152	1096	RUSSKAYA-GOLAYA.exe	27
PID 1096 wrote to memory of 1152	1096	RUSSKAYA-GOLAYA.exe	27
PID 1152 wrote to memory of 2008	1152	cmd.exe	29
PID 1152 wrote to memory of 2008	1152	cmd.exe	29
PID 1152 wrote to memory of 2008	1152	cmd.exe	29
PID 1152 wrote to memory of 2008	1152	cmd.exe	29
PID 1096 wrote to memory of 2032	1096	RUSSKAYA-GOLAYA.exe	30
PID 1096 wrote to memory of 2032	1096	RUSSKAYA-GOLAYA.exe	30
PID 1096 wrote to memory of 2032	1096	RUSSKAYA-GOLAYA.exe	30
PID 1096 wrote to memory of 2032	1096	RUSSKAYA-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\polodpkolo\slonop\slonopotamus.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\polodpkolo\slonop\jolemansday.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\polodpkolo\slonop\hreansdva.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\polodpkolo\slonop\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\polodpkolo\slonop\hreansdva.vbs

Filesize
611B

MD5
7be17cf956e43bd720cfe0c89297bd82

SHA1
4b6a69a501916b17922ae032854f779e56f95090

SHA256
bc5bc8090f94d624ce85e85f4bdb4b3e7cde298651153cc5bc239fc0e643326a

SHA512
10056b60a30181d27fe6ed6d5a2b74c390d681d87bd746d44eb473ac9499f270aba7cbf12bb15b9f0663322589345c1d35af982e82095f44887122bdd3d66db8

Download Submit
C:\Program Files (x86)\polodpkolo\slonop\industrialgasturbines.and

Filesize
115B

MD5
790b2bff4097f17c4ea3578abc4c5018

SHA1
56f38199904fca0d34c80faf2f0056586b2357f7

SHA256
3be50fa7f71f37a5fa98fdc5d2a651309b12b75cde49a7b537160c9d944167e7

SHA512
4493184f56f40bc0e3508689b5f28f70b765d3f5b1047d075f95a48f317137188f3fc48a99c0a004d25cc35dcd500299b200cac89b1b12dcbdfae88d5c57e305

Download Submit
C:\Program Files (x86)\polodpkolo\slonop\jolemansday.day

Filesize
255B

MD5
f1e756397a5925c877c11c7fee9671ca

SHA1
bcd341d59d78ae253fbcaedccb44f02f45c5418c

SHA256
ff0797eab7952ecc80d7d361f7ea55b5cef78c37d71cfcda1a30c3b46f30a852

SHA512
05060be8d1f6cb8269746df0ee7df7575350a7971c13eab4652f6ba47ab51cc89f1954e249c12b98576c1dd59db74c194b971b7d04638630a19b89468be61fa2

Download Submit
C:\Program Files (x86)\polodpkolo\slonop\jolemansday.vbs

Filesize
255B

MD5
f1e756397a5925c877c11c7fee9671ca

SHA1
bcd341d59d78ae253fbcaedccb44f02f45c5418c

SHA256
ff0797eab7952ecc80d7d361f7ea55b5cef78c37d71cfcda1a30c3b46f30a852

SHA512
05060be8d1f6cb8269746df0ee7df7575350a7971c13eab4652f6ba47ab51cc89f1954e249c12b98576c1dd59db74c194b971b7d04638630a19b89468be61fa2

Download Submit
C:\Program Files (x86)\polodpkolo\slonop\slonopotamus.bat

Filesize
1KB

MD5
b3a3f303dfc43c22b0d21aa609cde3f9

SHA1
aca892d1fbe1729c737142661ad7902f2a370d72

SHA256
28c614b65efbfb819c0cdbced99df127e3f76b10884e0d0682b93bc9f35d1680

SHA512
f1fe2244253df8082cdd5e84a8f6f213663f620256ffaf7784ee87f0e18f6e2991d3c3c5644b1fc3df79f739d1329a4142232306676fd95982fd2d6107548498

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
71d56c63c666019eab63fa6f1cf94f2c

SHA1
e7d92bc7d1d8ce3bcc51f2a0049f21ac1b4f12dc

SHA256
208f28ce8cbf416b8be7beffea105562fffcfdd14cdc370e4519233c46451b53

SHA512
6131b7d16dacf34abaae4426e5507cb5b4df2116145572d3ed2ac0e27ebade53ec0ccc058f353c2519513bf8214d1b822d0d3197fe16bc3c96467dbaa54a1768

Download Submit
memory/1096-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing