f6c3502b8332204f77e0fecf03f4ded98474397a425e920eb84313e4308f1300

General

Target

RUSSKAYA-GOLAYA.exe
Size

239KB
MD5

680c79d257b76cdfab7faafae1a95247
SHA1

a20030095f1004e9a523ddc547d9193baa818f30
SHA256

68507d37e692a2a93c88ca97dc37c9265a653b60fbe700db6cfbf0ad77d80f52
SHA512

b1d4c1442fd38a57911553ed9eba7d56565a5236ffca250cef74c2835f8404fa01737fd5c9db9fc97d378fb739d6988f14aef37a66015d015177a43061adf5da
SSDEEP

3072:MBAp5XhKpN4eOyVTGfhEClj8jTk+0hYoO/MgjqEWB1+Cgw5CKHy:7bXE9OiTGfhEClq95/MgfJJUy

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	880	WScript.exe
5	880	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Dogma.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\xuipizda\1.txt	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\pizdaxui11.vbs	cmd.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\olologggg.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\pizdaxui11.vbs	cmd.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Twitvid allows you to easily.home	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Twitvid allows you to easily.home	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Dogma.bat	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\kolitmna.kol	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\kolitmna.kol	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\xuipizda\1.txt	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\pizdaxui11.eb	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\pizdaxui11.eb	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\olologggg.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1256	1812	RUSSKAYA-GOLAYA.exe	28
PID 1812 wrote to memory of 1256	1812	RUSSKAYA-GOLAYA.exe	28
PID 1812 wrote to memory of 1256	1812	RUSSKAYA-GOLAYA.exe	28
PID 1812 wrote to memory of 1256	1812	RUSSKAYA-GOLAYA.exe	28
PID 1812 wrote to memory of 524	1812	RUSSKAYA-GOLAYA.exe	30
PID 1812 wrote to memory of 524	1812	RUSSKAYA-GOLAYA.exe	30
PID 1812 wrote to memory of 524	1812	RUSSKAYA-GOLAYA.exe	30
PID 1812 wrote to memory of 524	1812	RUSSKAYA-GOLAYA.exe	30
PID 1812 wrote to memory of 880	1812	RUSSKAYA-GOLAYA.exe	31
PID 1812 wrote to memory of 880	1812	RUSSKAYA-GOLAYA.exe	31
PID 1812 wrote to memory of 880	1812	RUSSKAYA-GOLAYA.exe	31
PID 1812 wrote to memory of 880	1812	RUSSKAYA-GOLAYA.exe	31

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Dogma.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\olologggg.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\pizdaxui11.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Dogma.bat

Filesize
1KB

MD5
f9d7f6d09539def31041ed3e37e2d741

SHA1
aa5ce65d009b832b9210f92c873226d180e773f8

SHA256
3e74eaab63bed051859f70d0113b010586e9e05b76157961e37b0b6c27c8fd7c

SHA512
0c54079b64a242d991698310c4df4b4ddfdc334619a9903e7dc5c27347304f21e5ee86fedb746020a7e6f6596743eea9d917c9c0fabaf9daff518a1df8b7e9d2

Download Submit
C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\Twitvid allows you to easily.home

Filesize
123B

MD5
d4c87316f68bb275ab3e3679f6db3912

SHA1
5ab0ae8cb04589cc8109ad69ff9b4350521090aa

SHA256
179ff05a610296475993208238254e3550675d451bd6732fdbe3bb629c65cd5b

SHA512
01fa1cb329d7c23cf767e76551358ef2a0c79b07e3ad7d246a0cfd503989abc98fc5d5bbac818f7b998ee97ca956de073aa054ac732709f0e7cb537a29cad48a

Download Submit
C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\kolitmna.kol

Filesize
632B

MD5
3437630e7704ab3b56f793452b897666

SHA1
f4a987e3fae3d3520a2c213467319318aab9de00

SHA256
39ad5502937a9052a8a27c427fe81f4a8c439810c9f23831d7d32f92a070c1e6

SHA512
b68d955e5ed511430063fdbb0e81a888f3caf8985cedef58c2cf2bd1d3bad37b11068c23d9a17f88aecc0e06dfac4639a1a3ee65ad68cf19a9a72317a31ff3a3

Download Submit
C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\olologggg.vbs

Filesize
632B

MD5
3437630e7704ab3b56f793452b897666

SHA1
f4a987e3fae3d3520a2c213467319318aab9de00

SHA256
39ad5502937a9052a8a27c427fe81f4a8c439810c9f23831d7d32f92a070c1e6

SHA512
b68d955e5ed511430063fdbb0e81a888f3caf8985cedef58c2cf2bd1d3bad37b11068c23d9a17f88aecc0e06dfac4639a1a3ee65ad68cf19a9a72317a31ff3a3

Download Submit
C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\pizdaxui11.eb

Filesize
158B

MD5
178032845f81c4936db8f1234e8d9528

SHA1
9268c566eb3775a9f7e3405caced4da4d12c8002

SHA256
5971a80955aa6e5f3e400347cdc57d5cca4985bdf9c779b58087f193781396e5

SHA512
577ca5b0b63368f04b71750ae8aa67e333c02dd8ae9d51cc2d046cb0b8f7002a1b639e7e12c03a740d2e0a27a775e59ad6a30069a47a27f6804a590e723aaecb

Download Submit
C:\Program Files (x86)\lop1\piccoloucioamepiacanutella\pizdaxui11.vbs

Filesize
158B

MD5
178032845f81c4936db8f1234e8d9528

SHA1
9268c566eb3775a9f7e3405caced4da4d12c8002

SHA256
5971a80955aa6e5f3e400347cdc57d5cca4985bdf9c779b58087f193781396e5

SHA512
577ca5b0b63368f04b71750ae8aa67e333c02dd8ae9d51cc2d046cb0b8f7002a1b639e7e12c03a740d2e0a27a775e59ad6a30069a47a27f6804a590e723aaecb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
71d56c63c666019eab63fa6f1cf94f2c

SHA1
e7d92bc7d1d8ce3bcc51f2a0049f21ac1b4f12dc

SHA256
208f28ce8cbf416b8be7beffea105562fffcfdd14cdc370e4519233c46451b53

SHA512
6131b7d16dacf34abaae4426e5507cb5b4df2116145572d3ed2ac0e27ebade53ec0ccc058f353c2519513bf8214d1b822d0d3197fe16bc3c96467dbaa54a1768

Download Submit
memory/1812-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing