88bbeebbbc8f5e785357fd9b61d328c81aa3061994169015511899d9a7445fee

General

Target

PHOTO-GOLAYA.exe
Size

180KB
MD5

db89b00c7c939cf554518d57f1377827
SHA1

bf3c125ff67971778b7976dda615d9ed1bc7c2a1
SHA256

cb028ef2b09fae773878ce008daf8719692f62f5036ca9e76fefe9ede348b6a4
SHA512

56d61b7be2c77e43798d7b13b330f7733d1198c3dc9cc2c685d8a5ea2024ebfacdbd42b6452371ab74fb7a215f9fc5e21212cb9759d51d465bb631b612401510
SSDEEP

3072:oBAp5XhKpN4eOyVTGfhEClj8jTk+0hwyWS/LzWNsoauJP94:fbXE9OiTGfhEClq9E/XWNsRm94

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	4644	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 2348	4248	PHOTO-GOLAYA.exe	91
PID 4248 wrote to memory of 2348	4248	PHOTO-GOLAYA.exe	91
PID 4248 wrote to memory of 2348	4248	PHOTO-GOLAYA.exe	91
PID 4248 wrote to memory of 4016	4248	PHOTO-GOLAYA.exe	93
PID 4248 wrote to memory of 4016	4248	PHOTO-GOLAYA.exe	93
PID 4248 wrote to memory of 4016	4248	PHOTO-GOLAYA.exe	93
PID 4248 wrote to memory of 4644	4248	PHOTO-GOLAYA.exe	94
PID 4248 wrote to memory of 4644	4248	PHOTO-GOLAYA.exe	94
PID 4248 wrote to memory of 4644	4248	PHOTO-GOLAYA.exe	94

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat

Filesize
618B

MD5
95df14b25a47ba59c8c55ae624260575

SHA1
680ff195daaed58014e59cf89d4626b4a68ab8a4

SHA256
97e108f9a7186f2c87c37410f8bd63adf51eff8320a1781bd2da47f761a35895

SHA512
50d923c6356acb1c210a34423f44ef18bd97ca755da39c191335d72e03d37d5220b997e061316485c341d48de1186c990280458306ebb59e9a16d5167ea60440

Download Submit
C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
622B

MD5
782c069d2a56e96c43670ca154b05c8d

SHA1
c2de1923fa7207a77a6dcd20ff426964609e8524

SHA256
902aba7fbeda831596499dc094b97a401ec359bdc93a8b224b010f5e448ad008

SHA512
96ffae7e92c919615b50c8996a57814a22519694c71673a198f8b757323b17488ed2d76ef5bb57fb0e0695a6b77e86f9cb87826dedb58770150c9d43c39fe6c1

Download Submit
C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
490B

MD5
9db9efebe6e1402bd2dc6c580459bbbf

SHA1
0b8b60cd3a5714ec195a8010e1518e2ac370b967

SHA256
28fba5e76d757fadb46ed62d757ccddc2884b37a7de86a506f26316269b8936d

SHA512
90979507f17265d008c22af3bb44840732047c0d29e234b315d8ab328dc248334e738a425452431537bb3ee8e9ba4cb45314993ddab8bc3c6cd370bd8bf5cfc7

Download Submit
C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa

Filesize
74B

MD5
a53a5a1f903850e67c4009f69cab52df

SHA1
5b5c3a9ceb8d3d589bb547e4828ee5aa5ad2d251

SHA256
87b2b49c62d2b891333b6e211e81fe8c07259639baa20f2fecea09034f857924

SHA512
936b05b93daf666b808782b80a46fa85a7e1b43dae813759c9e5c0f80aae9769ee1d196c5be53528d9966de6c3f834aa8a06d1e4350efeb04e41eeac7f796875

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
a8d8655c77d6cfe3ddb1fb98ce2a4b96

SHA1
ab5f6867cf7f76bc3f19a6abfefe60a461f20d52

SHA256
ac4c821e48a769f70bfe6a24035976d13292d7cffec4c022372677de04dcbb81

SHA512
15de8a16ecc57e8c96df22543ce80e7912477ee92ddc24eab51c2b8570327cede8926943e9e7c16b71253f495c4daa3fc929610718d4bd151c3940ebab7724bd

Download Submit
memory/4248-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing