97c8f186e15370f82c9dcdd418ecddc915ec6f3c78919e3c07ef9e3906c721d7

General

Target

RUSSKAYA-GOLAYA.exe
Size

237KB
MD5

eb1cdf3bad0448d18b4f6da3be5bc4e5
SHA1

fe3066247cc047ec212fbeebe98a356e54e0e482
SHA256

5f981881ae277155751b5b657b71760b44f3c5757d5bbd32913445a28ed579cc
SHA512

a939d9d7a47a927a104c29d09be6b7371dddc63b16586e103b17f7a0488b989f3dd117ab5e8851ca2bff40f4fc1b22321fbf9bea73381d7211a29d43996ad591
SSDEEP

3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0h5Y2AGeSU+Cgw5CKHS:JbXE9OiTGfhEClq9AY2AGeoJJUS

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	3636	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	RUSSKAYA-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\1.txt	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\1.txt	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	RUSSKAYA-GOLAYA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 3716	4972	RUSSKAYA-GOLAYA.exe	80
PID 4972 wrote to memory of 3716	4972	RUSSKAYA-GOLAYA.exe	80
PID 4972 wrote to memory of 3716	4972	RUSSKAYA-GOLAYA.exe	80
PID 3716 wrote to memory of 3636	3716	cmd.exe	82
PID 3716 wrote to memory of 3636	3716	cmd.exe	82
PID 3716 wrote to memory of 3636	3716	cmd.exe	82
PID 4972 wrote to memory of 480	4972	RUSSKAYA-GOLAYA.exe	83
PID 4972 wrote to memory of 480	4972	RUSSKAYA-GOLAYA.exe	83
PID 4972 wrote to memory of 480	4972	RUSSKAYA-GOLAYA.exe	83

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\poddddkod_dap\novay\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs

Filesize
597B

MD5
e17125705926c32f6ce1059053f707a1

SHA1
acd0d32e742bc388ab0a9a862c006986471a4db9

SHA256
a5c2ce12deadb8a51cb16511482d44c53fef6c9149e4616733c68a8b292ed506

SHA512
a3618a76e0c721ca9421b6193a15f779b84689add6c6dd52a488950c9358c406eafc3bfa1e64d7d407716ecb33464fcb1addbd6fe9792da2179ded9cb4f0e599

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp

Filesize
65B

MD5
7cb8698f0d38b859c2162d8d4012e91e

SHA1
0936d45df25ae05a6a47404ebfa04f10758b158f

SHA256
b9f7186bbcb607a8f0870abc34c4900ed94e94593dba0b4446dd65b516d21545

SHA512
5e14a31aeedf67a4cb95ec88d5f79498e4e101a9ca7f1a032c762a674214f20c98fd9427471a5541464efd2a53618257ceea2426ac7a6a0f76c728d3597f805b

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat

Filesize
1KB

MD5
fd980a2ba1a5b356ee9da1ae18d57372

SHA1
f4a95e59a2dc7f91d01ced859166c6f534ef4366

SHA256
14997d59347750fb21794d18817abb987911b4336e796528b174ba345150d054

SHA512
a21412902b9273c574f64eacae1d7d8171dc9533ce1f2dd23eef521c87eb418ccc9d11222b3dd26e6f6ced298ce97e412b439d254536691d4dec1b95236af5f9

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui

Filesize
261B

MD5
2220c2ba3ab6dd671cfbc80fb66e8989

SHA1
c2698ec660cff13e102676af7e8426a44b68efe7

SHA256
4ff356480adae2f8e3e8e1ab665c2fb0b23c6c964d20c65edfb220ceb984f31e

SHA512
4b660fe9082965eaa0a2e5150cf9e6fca8bbd356af9d4cb09deda878a513f2074161e7b0f36a469a8293b985794f4c21afaff196ac4c80b83911b65c801a100c

Download Submit
C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs

Filesize
261B

MD5
2220c2ba3ab6dd671cfbc80fb66e8989

SHA1
c2698ec660cff13e102676af7e8426a44b68efe7

SHA256
4ff356480adae2f8e3e8e1ab665c2fb0b23c6c964d20c65edfb220ceb984f31e

SHA512
4b660fe9082965eaa0a2e5150cf9e6fca8bbd356af9d4cb09deda878a513f2074161e7b0f36a469a8293b985794f4c21afaff196ac4c80b83911b65c801a100c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9dcc61449d186116ce46be8d983d245

SHA1
07869bd8517809202b490ee94d0cd65d4aafa3b5

SHA256
4b8b297c1a0358fbd292e9ce2fd289ab1f241808a1fdf92c3261a1728de96783

SHA512
a12663a8fd5a4fa0a7b47977aed3eca673271da00e5ad8d7549e8fd4c96c3127ec2c558c1dd7ebc3372af5c739541a9552b55ee6b54e8be999ebbcdf2b34ce81

Download Submit

Analysis

Sharing