a25985a468a781ab884fd5efbcd8c588d77992eb145609f886f8fe357199e1fe

General

Target

PHOTO-DEVOCHKA.exe
Size

180KB
MD5

54fa63539b7dd53f6471ed6c74441a3c
SHA1

c543a83a98e75898d68c27cdad0af7488285bb20
SHA256

3503d7b765ab1715094a62e292fe214325e5e9875058e54df2aeecc402bb5b4e
SHA512

66d48398c3862cc20b33db9d3957ff6ac981c968d309d14e5b8cc38e8728b64b9443a51ae296c694c7cea98639b82a7d10359886b2830004582128d3e6119eb4
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hUysEzQsFgS9BA/y:AbXE9OiTGfhEClq9MsEzQsFgSd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	4928	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	PHOTO-DEVOCHKA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	PHOTO-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3956	2180	PHOTO-DEVOCHKA.exe	80
PID 2180 wrote to memory of 3956	2180	PHOTO-DEVOCHKA.exe	80
PID 2180 wrote to memory of 3956	2180	PHOTO-DEVOCHKA.exe	80
PID 2180 wrote to memory of 3972	2180	PHOTO-DEVOCHKA.exe	82
PID 2180 wrote to memory of 3972	2180	PHOTO-DEVOCHKA.exe	82
PID 2180 wrote to memory of 3972	2180	PHOTO-DEVOCHKA.exe	82
PID 2180 wrote to memory of 4928	2180	PHOTO-DEVOCHKA.exe	83
PID 2180 wrote to memory of 4928	2180	PHOTO-DEVOCHKA.exe	83
PID 2180 wrote to memory of 4928	2180	PHOTO-DEVOCHKA.exe	83

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
d200449456e89d07109236616ff90ab2

SHA1
2557563adba8b21fcd7428b317f8e3eb9f808adc

SHA256
5efb8eafec044705fbe2a79da14865729d797bc4645f2809dbd228d113478a06

SHA512
0ba9e99c7f619dc24bc788cc1d969e92157086c468cd0f1530e409fe8a72f277d9f6676ef619f9cef0416afc82770b74339607c2c4732d4af7b4d9e3dbf61569

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
1KB

MD5
ba0e10b1bc66f3a6d59748562ec92c3f

SHA1
5c1dcf8c262f415e9d3198b1da1aa37077b13c9c

SHA256
62942106eeca5162721d06e21dd8d58ef41493ee3102b69f2a922329cf6f0c1f

SHA512
6efa60b8510e86df317694595c609d2080bbca00ddce64e955d976618d991a1bdcb96361026c98f71d5978cfa9d86a251f5ccac435fd41caef2a445a1a52a0f2

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
695B

MD5
7bebe8b64eadf6024409e508dd6c36ab

SHA1
555b9571fd7209a49218a6af9634099ef2c11d54

SHA256
12f39e2048ec55aeef82beb3c28ea47e0bf85809cf5a1fe19111c4fa4252f460

SHA512
e253d737f76edb2b5b7bd5f81d001e9accf78e9a285c760f0f01acbf214e3a4e29a710fdc45a8c0beb18f4d05efba67dac82d2510a921239c7c964084ff36d09

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c103de0bdd559496de273a00bd9b6806

SHA1
7da2e899d8d1c6110495602364375fb800012e21

SHA256
9351acf3b7ab24de41196bef296b951acb91338c428a4da92f3885ecdd19c1f0

SHA512
6548f7499649c5fd6324379f348e4e5a9df1b0cd103609d3453c901e4d10e70ebc182cef131a75dd53cc73a15ebfe1e36cde4005e488879900d552da5511eb19

Download Submit

Analysis

Sharing