568b8c4eef6f817dea01f02d4d59e38cb46e0a97482d8136ddb48617c33b4f14 | Triage

Analysis

max time kernel
339s
max time network
403s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 01:53

Sharing

Report Analysis Logs

General

Target

PHOTO-GOLAYA.exe
Size

180KB
MD5

69a9db2003415946eb1185c9ab4d6ca4
SHA1

a4e84147d24c578a9a0ac9b4b08815d45cf035c1
SHA256

39f420b486362ecca29eb4c068e665c2bd126f6f526049c26491539d1135582f
SHA512

2ddd0734c50bf4ecb5be23127e1354d641d78c49d4f20c703ef36621db6af9c1dcc2447f3d04527ea9fe56cdaf425c651b932139faed62537ceee3b662c14ad8
SSDEEP

3072:oBAp5XhKpN4eOyVTGfhEClj8jTk+0hN7+mYnhIAhyYwYs:fbXE9OiTGfhEClq9s+mYnhIAhyT

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers\upppploooooollll.ruu	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers\09olbanid_go_stricktly.bat	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads