f93c8411720de07a968a314a75a0127c529ab51004f143bef93c02f830be620b

General

Target

PHOTO-GOLAYA.exe
Size

239KB
MD5

9ea5d4e300dd6c096812711fa3c677d2
SHA1

91ae3f2c828d65fc1d862abda77c875a433a09f8
SHA256

fa673f26eca0e92ae23fd52290a15fed2115c3cce647c93a9d52a069d3f82aaa
SHA512

807886572612c5593192318f2ac65fc0d42a77989ac86ccfd730b9544f5fb14fb4aa54aa10bbc7c0f76cde779149da8662d5abba173a503fd942f9669985949e
SSDEEP

3072:7BAp5XhKpN4eOyVTGfhEClj8jTk+0hWmKlv+Cgw5CKHK:mbXE9OiTGfhEClq9PTQJJUK

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	788	WScript.exe
5	788	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.ini	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 320	560	PHOTO-GOLAYA.exe	28
PID 560 wrote to memory of 320	560	PHOTO-GOLAYA.exe	28
PID 560 wrote to memory of 320	560	PHOTO-GOLAYA.exe	28
PID 560 wrote to memory of 320	560	PHOTO-GOLAYA.exe	28
PID 560 wrote to memory of 788	560	PHOTO-GOLAYA.exe	30
PID 560 wrote to memory of 788	560	PHOTO-GOLAYA.exe	30
PID 560 wrote to memory of 788	560	PHOTO-GOLAYA.exe	30
PID 560 wrote to memory of 788	560	PHOTO-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat

Filesize
1KB

MD5
1d630a66e3655ad156c69cc47f6a12c4

SHA1
f2bca046862413bfa17cfe5e4b9389f1c05e0bc5

SHA256
43dd8c4612facfe75f5d32a2f011d41ef79bd447d693f804e1b4a8addfea2dae

SHA512
088beeb03c755a617683f847670a368ee437d5ea115388df9143e993a2116f5eb2a85e761bc326915b4f21c6d348051117c7fbe1d5fe21052cc665890dab8636

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua

Filesize
1KB

MD5
34a3c10d2b8c22e546326a2b43150131

SHA1
d7f091985da68e91f0ba8a067aaa5d9b39b8bf97

SHA256
06c5ccc9ac6787d5d68840c75fd0eff5ac4efb242640e3d6d00517c65870a0f5

SHA512
db189cf8719cdd507c3dcd797aef9b6641c5ca6430d8ca54debe0a38b6a469604cd14414c8fa05501552437affb1d3ab5cadc89b9e7d82d1bfbc691182b5cd3a

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs

Filesize
1KB

MD5
34a3c10d2b8c22e546326a2b43150131

SHA1
d7f091985da68e91f0ba8a067aaa5d9b39b8bf97

SHA256
06c5ccc9ac6787d5d68840c75fd0eff5ac4efb242640e3d6d00517c65870a0f5

SHA512
db189cf8719cdd507c3dcd797aef9b6641c5ca6430d8ca54debe0a38b6a469604cd14414c8fa05501552437affb1d3ab5cadc89b9e7d82d1bfbc691182b5cd3a

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro

Filesize
87B

MD5
2048e7f377827684952eac6638737664

SHA1
177f0e8e28f88204df60059d64c6ec3bc108a673

SHA256
e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

SHA512
624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
712e39a3a262f220a58df41e0680f7c0

SHA1
4285643061e7360290fa6614e9eb0bb4aa9ada03

SHA256
0d746d368cc41605f9de5e5cd84475398f4faac19e1e4306b16db2a339e21a86

SHA512
dcfc8073785d5f8d1f56a83f2d0dd9a7d68629330169202cc1fd53df6ab9dfce4ed3c6a5a531ada375241c089179d8f61f39a594a835e53ba6ed77df42d0f14d

Download Submit
memory/320-55-0x0000000000000000-mapping.dmp

Download
memory/560-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/788-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing