Overview

overview

8

Static

static

RUSSKAYA-GOLAYA.exe

windows7-x64

8

RUSSKAYA-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    169s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RUSSKAYA-GOLAYA.exe

  • Size

    237KB

  • MD5

    6b665297d9bf4911bc1e79deb80b4059

  • SHA1

    ab02d18112085462343cae6359c6504a28d41932

  • SHA256

    39be344cff519bd5063bc8941c6e76a9d9801e9397a4d3d1001b131eddbf7a00

  • SHA512

    6c10df06f29d8de9fd69c4002693c807dc93a68b8002372ad21bb07068a56e182f68df947d6384340a031afd85dd9dde4ee74b2372f601d79b1c9138d67645db

  • SSDEEP

    3072:tBAp5XhKpN4eOyVTGfhEClj8jTk+0hGrGivgXrC2S7yfH84zsEn/iOjt7hM8Wjz7:obXE9OiTGfhEClq9bweKRZLWJJUC

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\polodpkolo\slonop\slonopotamus.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\polodpkolo\slonop\jolemansday.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4916
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\polodpkolo\slonop\hreansdva.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4892

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\polodpkolo\slonop\1.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\polodpkolo\slonop\hreansdva.vbs
    Filesize

    611B

    MD5

    7be17cf956e43bd720cfe0c89297bd82

    SHA1

    4b6a69a501916b17922ae032854f779e56f95090

    SHA256

    bc5bc8090f94d624ce85e85f4bdb4b3e7cde298651153cc5bc239fc0e643326a

    SHA512

    10056b60a30181d27fe6ed6d5a2b74c390d681d87bd746d44eb473ac9499f270aba7cbf12bb15b9f0663322589345c1d35af982e82095f44887122bdd3d66db8

    Download Submit

  • C:\Program Files (x86)\polodpkolo\slonop\industrialgasturbines.and
    Filesize

    115B

    MD5

    790b2bff4097f17c4ea3578abc4c5018

    SHA1

    56f38199904fca0d34c80faf2f0056586b2357f7

    SHA256

    3be50fa7f71f37a5fa98fdc5d2a651309b12b75cde49a7b537160c9d944167e7

    SHA512

    4493184f56f40bc0e3508689b5f28f70b765d3f5b1047d075f95a48f317137188f3fc48a99c0a004d25cc35dcd500299b200cac89b1b12dcbdfae88d5c57e305

    Download Submit

  • C:\Program Files (x86)\polodpkolo\slonop\jolemansday.day
    Filesize

    255B

    MD5

    f1e756397a5925c877c11c7fee9671ca

    SHA1

    bcd341d59d78ae253fbcaedccb44f02f45c5418c

    SHA256

    ff0797eab7952ecc80d7d361f7ea55b5cef78c37d71cfcda1a30c3b46f30a852

    SHA512

    05060be8d1f6cb8269746df0ee7df7575350a7971c13eab4652f6ba47ab51cc89f1954e249c12b98576c1dd59db74c194b971b7d04638630a19b89468be61fa2

    Download Submit

  • C:\Program Files (x86)\polodpkolo\slonop\jolemansday.vbs
    Filesize

    255B

    MD5

    f1e756397a5925c877c11c7fee9671ca

    SHA1

    bcd341d59d78ae253fbcaedccb44f02f45c5418c

    SHA256

    ff0797eab7952ecc80d7d361f7ea55b5cef78c37d71cfcda1a30c3b46f30a852

    SHA512

    05060be8d1f6cb8269746df0ee7df7575350a7971c13eab4652f6ba47ab51cc89f1954e249c12b98576c1dd59db74c194b971b7d04638630a19b89468be61fa2

    Download Submit

  • C:\Program Files (x86)\polodpkolo\slonop\slonopotamus.bat
    Filesize

    1KB

    MD5

    b3a3f303dfc43c22b0d21aa609cde3f9

    SHA1

    aca892d1fbe1729c737142661ad7902f2a370d72

    SHA256

    28c614b65efbfb819c0cdbced99df127e3f76b10884e0d0682b93bc9f35d1680

    SHA512

    f1fe2244253df8082cdd5e84a8f6f213663f620256ffaf7784ee87f0e18f6e2991d3c3c5644b1fc3df79f739d1329a4142232306676fd95982fd2d6107548498

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    71d56c63c666019eab63fa6f1cf94f2c

    SHA1

    e7d92bc7d1d8ce3bcc51f2a0049f21ac1b4f12dc

    SHA256

    208f28ce8cbf416b8be7beffea105562fffcfdd14cdc370e4519233c46451b53

    SHA512

    6131b7d16dacf34abaae4426e5507cb5b4df2116145572d3ed2ac0e27ebade53ec0ccc058f353c2519513bf8214d1b822d0d3197fe16bc3c96467dbaa54a1768

    Download Submit