88bbeebbbc8f5e785357fd9b61d328c81aa3061994169015511899d9a7445fee

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PHOTO-GOLAYA.exe
Size

180KB
MD5

db89b00c7c939cf554518d57f1377827
SHA1

bf3c125ff67971778b7976dda615d9ed1bc7c2a1
SHA256

cb028ef2b09fae773878ce008daf8719692f62f5036ca9e76fefe9ede348b6a4
SHA512

56d61b7be2c77e43798d7b13b330f7733d1198c3dc9cc2c685d8a5ea2024ebfacdbd42b6452371ab74fb7a215f9fc5e21212cb9759d51d465bb631b612401510
SSDEEP

3072:oBAp5XhKpN4eOyVTGfhEClj8jTk+0hwyWS/LzWNsoauJP94:fbXE9OiTGfhEClq9E/XWNsRm94

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2580	WScript.exe
7	2580	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2776	1740	PHOTO-GOLAYA.exe	17
PID 1740 wrote to memory of 2776	1740	PHOTO-GOLAYA.exe	17
PID 1740 wrote to memory of 2776	1740	PHOTO-GOLAYA.exe	17
PID 1740 wrote to memory of 2776	1740	PHOTO-GOLAYA.exe	17
PID 1740 wrote to memory of 2684	1740	PHOTO-GOLAYA.exe	31
PID 1740 wrote to memory of 2684	1740	PHOTO-GOLAYA.exe	31
PID 1740 wrote to memory of 2684	1740	PHOTO-GOLAYA.exe	31
PID 1740 wrote to memory of 2684	1740	PHOTO-GOLAYA.exe	31
PID 1740 wrote to memory of 2580	1740	PHOTO-GOLAYA.exe	30
PID 1740 wrote to memory of 2580	1740	PHOTO-GOLAYA.exe	30
PID 1740 wrote to memory of 2580	1740	PHOTO-GOLAYA.exe	30
PID 1740 wrote to memory of 2580	1740	PHOTO-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat

Filesize
618B

MD5
95df14b25a47ba59c8c55ae624260575

SHA1
680ff195daaed58014e59cf89d4626b4a68ab8a4

SHA256
97e108f9a7186f2c87c37410f8bd63adf51eff8320a1781bd2da47f761a35895

SHA512
50d923c6356acb1c210a34423f44ef18bd97ca755da39c191335d72e03d37d5220b997e061316485c341d48de1186c990280458306ebb59e9a16d5167ea60440

Download Submit
C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
622B

MD5
782c069d2a56e96c43670ca154b05c8d

SHA1
c2de1923fa7207a77a6dcd20ff426964609e8524

SHA256
902aba7fbeda831596499dc094b97a401ec359bdc93a8b224b010f5e448ad008

SHA512
96ffae7e92c919615b50c8996a57814a22519694c71673a198f8b757323b17488ed2d76ef5bb57fb0e0695a6b77e86f9cb87826dedb58770150c9d43c39fe6c1

Download Submit
C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
490B

MD5
9db9efebe6e1402bd2dc6c580459bbbf

SHA1
0b8b60cd3a5714ec195a8010e1518e2ac370b967

SHA256
28fba5e76d757fadb46ed62d757ccddc2884b37a7de86a506f26316269b8936d

SHA512
90979507f17265d008c22af3bb44840732047c0d29e234b315d8ab328dc248334e738a425452431537bb3ee8e9ba4cb45314993ddab8bc3c6cd370bd8bf5cfc7

Download Submit
C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa

Filesize
74B

MD5
a53a5a1f903850e67c4009f69cab52df

SHA1
5b5c3a9ceb8d3d589bb547e4828ee5aa5ad2d251

SHA256
87b2b49c62d2b891333b6e211e81fe8c07259639baa20f2fecea09034f857924

SHA512
936b05b93daf666b808782b80a46fa85a7e1b43dae813759c9e5c0f80aae9769ee1d196c5be53528d9966de6c3f834aa8a06d1e4350efeb04e41eeac7f796875

Download Submit
memory/1740-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download