f39ab6cd930df77feb92dcf9b8342834102a32bbfaba639d8cebf7f624589fa5

General

Target

PHOTO-DEVOCHKA.exe
Size

239KB
MD5

ec08e46a6d8f35d42aa0b856575326bb
SHA1

3879ba0c3233cacf5c3d3c1ab1ce4b4ae6353d43
SHA256

51dba153450ba408dda62e4fcf650b62c7bc0cf3695a61bb9e09ff9bba5cd6a5
SHA512

c5bcd1981fb73780432bf341c1e02b5de07a4f4183837e76b055ae12a164fdbe88c8d12d50e4f121b28457d6849e8e18427ded41da6716b67748846d544591b8
SSDEEP

3072:JBAp5XhKpN4eOyVTGfhEClj8jTk+0hqIgMKTNRfM+Cgw5CKHK:MbXE9OiTGfhEClq9nlN/JJUK

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	432	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	PHOTO-DEVOCHKA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.ini	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	PHOTO-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4248	5004	PHOTO-DEVOCHKA.exe	79
PID 5004 wrote to memory of 4248	5004	PHOTO-DEVOCHKA.exe	79
PID 5004 wrote to memory of 4248	5004	PHOTO-DEVOCHKA.exe	79
PID 5004 wrote to memory of 432	5004	PHOTO-DEVOCHKA.exe	81
PID 5004 wrote to memory of 432	5004	PHOTO-DEVOCHKA.exe	81
PID 5004 wrote to memory of 432	5004	PHOTO-DEVOCHKA.exe	81

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:4248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat

Filesize
1KB

MD5
48bdd656306956c689f43e134ef1ae4e

SHA1
4efa50ca2fa077dd5d81e6a77fd6975328a7957e

SHA256
0e8814915638a34cde2787ab4c92f9c333180344e49c471c4c1389134609616d

SHA512
c9885330b38d163d3595b4ad5b037a2696a8b5578f029aad6779055d4c1c03357dcdb4162f4a5f01c456792256dec0455721718c3dc82979a2f7ad23ababa733

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua

Filesize
1KB

MD5
5f3fbc4f180dd8e24509b2df9ab3b48c

SHA1
791b4bea20ea8d86fcdb4fae3a2d34c4760ba463

SHA256
2991ce042bb9995818819a44f1b8aa67c352a131b9bb6a77f9ef6c70ae127950

SHA512
bd0a3beb148fbf93bd5156d24a4e0c3d86d61b39d28247654c5326dcf7f2b8c4c89f7d9f9fead78abfd2c8d1dff4b860f7e87661e8f0f1d8082c81bff75d91c1

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs

Filesize
1KB

MD5
5f3fbc4f180dd8e24509b2df9ab3b48c

SHA1
791b4bea20ea8d86fcdb4fae3a2d34c4760ba463

SHA256
2991ce042bb9995818819a44f1b8aa67c352a131b9bb6a77f9ef6c70ae127950

SHA512
bd0a3beb148fbf93bd5156d24a4e0c3d86d61b39d28247654c5326dcf7f2b8c4c89f7d9f9fead78abfd2c8d1dff4b860f7e87661e8f0f1d8082c81bff75d91c1

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro

Filesize
87B

MD5
2048e7f377827684952eac6638737664

SHA1
177f0e8e28f88204df60059d64c6ec3bc108a673

SHA256
e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

SHA512
624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
712e39a3a262f220a58df41e0680f7c0

SHA1
4285643061e7360290fa6614e9eb0bb4aa9ada03

SHA256
0d746d368cc41605f9de5e5cd84475398f4faac19e1e4306b16db2a339e21a86

SHA512
dcfc8073785d5f8d1f56a83f2d0dd9a7d68629330169202cc1fd53df6ab9dfce4ed3c6a5a531ada375241c089179d8f61f39a594a835e53ba6ed77df42d0f14d

Download Submit

Analysis

Sharing