0d0babda6297c3cc1a5d03bb9d33bb8731027418381a77034d9510e7f2221d1a

General

Target

RUSSKAYA-GOLAYA.exe
Size

180KB
MD5

fdc849111653249dd6ebe00d6d293760
SHA1

ece8bcb2bd22dfbe218e8c9104d2813bc624ec31
SHA256

538b9ff9b6e06025b93fa25ebbf7d06f7280813b97e826b7413981ae543d7429
SHA512

83e22626e4c46324d2d0cc60a545e4341123aeca1d96c9d23925e441cda137bfbb3ff463acba3514a896d9fb8851ffdf63248f628fed14e0df07b3e013c64866
SSDEEP

3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0hg/eSZZvLf6CNsPrXJ8WYQKaLl:+bXE9OiTGfhEClq9vGSZZvLCCNsPrXJh

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	4860	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	backgroundTaskHost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	backgroundTaskHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	RUSSKAYA-GOLAYA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Elaeioleiferandhemar.ipa	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	RUSSKAYA-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3496	2148	RUSSKAYA-GOLAYA.exe	45
PID 2148 wrote to memory of 3496	2148	RUSSKAYA-GOLAYA.exe	45
PID 2148 wrote to memory of 3496	2148	RUSSKAYA-GOLAYA.exe	45
PID 2148 wrote to memory of 4296	2148	RUSSKAYA-GOLAYA.exe	105
PID 2148 wrote to memory of 4296	2148	RUSSKAYA-GOLAYA.exe	105
PID 2148 wrote to memory of 4296	2148	RUSSKAYA-GOLAYA.exe	105
PID 2148 wrote to memory of 4860	2148	RUSSKAYA-GOLAYA.exe	48
PID 2148 wrote to memory of 4860	2148	RUSSKAYA-GOLAYA.exe	48
PID 2148 wrote to memory of 4860	2148	RUSSKAYA-GOLAYA.exe	48

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs"
  2⤵
  PID:4296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4860

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Drops file in Drivers directory
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat

Filesize
618B

MD5
95df14b25a47ba59c8c55ae624260575

SHA1
680ff195daaed58014e59cf89d4626b4a68ab8a4

SHA256
97e108f9a7186f2c87c37410f8bd63adf51eff8320a1781bd2da47f761a35895

SHA512
50d923c6356acb1c210a34423f44ef18bd97ca755da39c191335d72e03d37d5220b997e061316485c341d48de1186c990280458306ebb59e9a16d5167ea60440

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Elaeioleiferandhemar.ipa

Filesize
74B

MD5
a53a5a1f903850e67c4009f69cab52df

SHA1
5b5c3a9ceb8d3d589bb547e4828ee5aa5ad2d251

SHA256
87b2b49c62d2b891333b6e211e81fe8c07259639baa20f2fecea09034f857924

SHA512
936b05b93daf666b808782b80a46fa85a7e1b43dae813759c9e5c0f80aae9769ee1d196c5be53528d9966de6c3f834aa8a06d1e4350efeb04e41eeac7f796875

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs

Filesize
493B

MD5
8431f160c6a617cb24571d81b5174dbc

SHA1
75efd043ba0c106de481e0f26e39c0ad8acdb74e

SHA256
e2f37d318f2009a54cf5a0ddbb20734506c96cfe8a7e3a30f89453b4814f0871

SHA512
82c963916389ae787fa5061ba9dcf36ebca785bab3850aa19070c21de2037b0f40f0b2e6888247755bd29920fa5fbf9e7ce1c80a59a249888e8ecdde836922ca

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs

Filesize
625B

MD5
ccfc768d46340bcfb9008809574ec464

SHA1
3d5b301a993eb1f5337829972f4c00cb416286fb

SHA256
aed09b8a54524d57146b6820d0b1bb4c0ee9c3ed63b9653b51cb989888335412

SHA512
cab7625f46269fb26431a978dbb37d71f5295fa3beef46aa38c6f6abf7ee97bdd4ceb726d7e2462df740bb12e4ba763a0cc232d3bf525934149deb895a715db4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
9037e35ed2aa165149a254e22fad6d5f

SHA1
32a38d6e69b2fbe74ff03c80f9a629d6bfddc646

SHA256
f7e40a008122ebec728cf61cb7fb7745eff80692fa4a006391f573764f810153

SHA512
6439706e2d338f895c69e83417220dbf33594524928e6076617ca9b40502a54b4ee1f38a8234acee87396f891d7851ad4041553cf32faa04573c4aeadd0d5b2d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
cafd397b2a40883ca008faf7e7514119

SHA1
ff620595eeb91c69ecfd4b08f89170db6b2a114f

SHA256
f4b5c57cfaddc3e99450dc89d8ed5eb3fbfb564dadbcd0f477ba957de712edb7

SHA512
d0889db57e57baaaf8ca7d52ccb255d0adf706bfaab8b9ece579641b2695db89cb408fa71ea8f2d6766363f536deb3c4fdfcfa36e818c23611694478f6328e8a

Download Submit
memory/2148-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing