e7ed17393baf91d9f511f87932c86ff6505e4d7b026516e9be9587c6bb5f50c2

General

Target

PHOTO-GOLAYA.exe
Size

238KB
MD5

a66f1eff17dda44a3287ea082faa5bfa
SHA1

fcb18b2525543cb892aca3ab5d1973b9319ec9aa
SHA256

62889e736683cfdce0feca1622b0cc5e0fda07214a7e678768d8cc8d5e7396fb
SHA512

56007cd2911948791c9f1b1e53c4da6925be75fc3acdd9bc54940a9775974245cd2973284205d71a98ae80958febe59fee323af0746ec393d987b957be7a78b3
SSDEEP

6144:zbXE9OiTGfhEClq9rZXpdKw/F4qweYG3/jk8hqfFyBgRYGJJUm:/U9Xiuif

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	3232	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4092	1560	PHOTO-GOLAYA.exe	80
PID 1560 wrote to memory of 4092	1560	PHOTO-GOLAYA.exe	80
PID 1560 wrote to memory of 4092	1560	PHOTO-GOLAYA.exe	80
PID 1560 wrote to memory of 3232	1560	PHOTO-GOLAYA.exe	82
PID 1560 wrote to memory of 3232	1560	PHOTO-GOLAYA.exe	82
PID 1560 wrote to memory of 3232	1560	PHOTO-GOLAYA.exe	82

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:4092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
6612e099d91656c947f3030b88efb273

SHA1
a083924f54dcca1d4fd1729a8dc766d7d43cf3d7

SHA256
4fd6525d3559532f0314cc6a00dada8109353e51aa02dd3e104ef83816b6dbff

SHA512
bec3fa4320a37e04b461103c603dcc2ab68ba110bc8deb8c3e3cd755b32607d0ae607b2f8fcb37d1d2335d048e375e3149e7b3cc9a97fd079f0e64dcbf299783

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
106B

MD5
74305d205702e48e96da6265224b456f

SHA1
387686c3598b5d9bb084f1597aeb3c1687b8b001

SHA256
afc5e57f3536cc17c46c377efe3746f80079b1917597bb3430298ddb570a3faf

SHA512
67fb29190052df27d2a5166a9de5233b64037aac5d00cb31c986850bfcb91f6df8927aa76140dcb126cd8f82eb8dc6c5aaef87816ec5505f176ff62286fafdf0

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll

Filesize
1KB

MD5
281ae60834732ad3cf3e209f8b858dba

SHA1
bd9a6596c9593054b0a4dc404a79a8e780c05e8a

SHA256
647e3a48644cf7cfed8d49b4f8faab8dfa8f6bc8c42d793d54e56e559445d9f7

SHA512
769d3b7ef96ec1d9e871cb57020239e07c45083b26e6940a5fc8dd95801bbecdd5f9ebf6399919e760d6dedee693c75ce33ae6d0b5728a1280920de45ed4f5aa

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs

Filesize
1KB

MD5
281ae60834732ad3cf3e209f8b858dba

SHA1
bd9a6596c9593054b0a4dc404a79a8e780c05e8a

SHA256
647e3a48644cf7cfed8d49b4f8faab8dfa8f6bc8c42d793d54e56e559445d9f7

SHA512
769d3b7ef96ec1d9e871cb57020239e07c45083b26e6940a5fc8dd95801bbecdd5f9ebf6399919e760d6dedee693c75ce33ae6d0b5728a1280920de45ed4f5aa

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f2c5d10ad27bb489a71a16e71b70e8b4

SHA1
5154928e4445092cedd422c549817c7a50e59d76

SHA256
e085c03394954c9b369c0a6f8704062b3c6ab932208fe6061e7a5a5bac851428

SHA512
2f01c24aa2cc579b5d77c13a6b2af9f76738f7868c30a665ea0a4759d80032fbb451a1bbf406554223898a3c2ca586d4749a10b445823f28ef0585acbe57edf9

Download Submit

Analysis

Sharing