815708363ca8ecf218d06dac1158c650af3c0789e826812dcfac84c3fa9a0cda

General

Target

RUSSKAYA-GOLAYA.exe
Size

238KB
MD5

356b69500eca08b5e00fce6e11922f63
SHA1

4132beec4d338f4cbcc06c3b0f4d6ed4337c62dc
SHA256

08589e58ed2af1994ca1c816768e5f2a042b0ec7186d2c673a4b5f754f5453f0
SHA512

f34ba040b04feaed119281bf592e57d6bd00bed0f19ed2fc5644ce286321af0127fcebb1233c4c7d5f20f0f85d0be73b6a60164aa5ab515a7b3332af7100018d
SSDEEP

6144:MbXE9OiTGfhEClq9528TfdRoWRg+lNEAJJUm:oU9XiuiJ8DRxl3

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2432	WScript.exe
5	2432	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2824	2460	RUSSKAYA-GOLAYA.exe	28
PID 2460 wrote to memory of 2824	2460	RUSSKAYA-GOLAYA.exe	28
PID 2460 wrote to memory of 2824	2460	RUSSKAYA-GOLAYA.exe	28
PID 2460 wrote to memory of 2824	2460	RUSSKAYA-GOLAYA.exe	28
PID 2460 wrote to memory of 2432	2460	RUSSKAYA-GOLAYA.exe	30
PID 2460 wrote to memory of 2432	2460	RUSSKAYA-GOLAYA.exe	30
PID 2460 wrote to memory of 2432	2460	RUSSKAYA-GOLAYA.exe	30
PID 2460 wrote to memory of 2432	2460	RUSSKAYA-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
145be08a3a04bebad33b7816f025b4b4

SHA1
f1e01e5d7d0628bd7fe21a62f71800ec6a89b06b

SHA256
ea9f727bc90fa8586d0f53ed7d9327b1bc1d2a931c7f1cae5e2b43f0e785683a

SHA512
b34998bf04447b8773fee8ca28ad78158b3062de407cc95611a0e388dba1070529714ef3051779e5316b1bb0654110d5954db77dd86e77d44c7221847c17d35f

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
97B

MD5
3807e1f3cb6ac7e9c85010cdcd2f1f45

SHA1
777efdef5312f5cc7631ade918101598b9db0987

SHA256
5b6842d21454ad96181462652e7c62ad19151a09aaeada14cdc3e1d1784cc637

SHA512
aa15e58fb0beb18ac94d1712b60d8162229983aa7155a859b8f978f8c9dc467b67d7b2eee9e9cb8835692691342c4ace9621ebd56bd83a4eeb0d6deba5671d40

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll

Filesize
1KB

MD5
7348acb8d780feba3362703a13ec0b43

SHA1
cf978c4890e8e3c4bd31fddf6f9d06f66019a546

SHA256
664648d53f9ed92cc20f06d9b479231842ad24a94d59858ec59b8a8abfaa5a08

SHA512
7f2020aa6c63b50d29781a0eebf450df65e5121dd400d2f7372659933890e3347c8a1cfcc9f5cff149a29165689f3d7570c20abf545dd12c2e9f835add547777

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
07747e26ea3ffd06b1e9825864be253c

SHA1
97b8ae03f2a4835ba0cef297bd1582aa2eebb983

SHA256
13e54f2ba2925d259803f92c44c26c3b1739f6340087475159bb140eed3a2f32

SHA512
619747f33df62d66437c874ba60ed33c8a178127ea763388b816bf7b3e332e94c612f6360fd23e008256c73b70b4660278578c2758ad09ae544e10736f8d6b8d

Download Submit
memory/2460-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2460-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing