6469cdc62fdb11834beb6461d2678729569ae4834984f66d22b71d110bf464de

General

Target

PHOTO-DEVOCHKA.exe
Size

180KB
MD5

02c11f1ec6c372847460c9afd76390dd
SHA1

032ee4e4369c55489abc2971a8b2c295e368b780
SHA256

4c9f213973c5144faafaad68cb94b809519752309208b998bb49621f02d8eabf
SHA512

1910f7447c783469c0853629500de9335717cb19e083a1502bee7031c26a3738535bfd5d74b7dafa1034a6b8079fe0482aba165f40598b410c5a8a8304a0d2fa
SSDEEP

3072:VBAp5XhKpN4eOyVTGfhEClj8jTk+0hvA8DN5TcKM4xoawC3Tw:wbXE9OiTGfhEClq92A8DP1Mvabk

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2640	WScript.exe
5	2640	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\conservationistsandother.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Elaeioleiferandhemar.ipa	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Crudepalmilutures.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\yellowishfattyilobtained.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2836	2976	PHOTO-DEVOCHKA.exe	21
PID 2976 wrote to memory of 2836	2976	PHOTO-DEVOCHKA.exe	21
PID 2976 wrote to memory of 2836	2976	PHOTO-DEVOCHKA.exe	21
PID 2976 wrote to memory of 2836	2976	PHOTO-DEVOCHKA.exe	21
PID 2976 wrote to memory of 2772	2976	PHOTO-DEVOCHKA.exe	18
PID 2976 wrote to memory of 2772	2976	PHOTO-DEVOCHKA.exe	18
PID 2976 wrote to memory of 2772	2976	PHOTO-DEVOCHKA.exe	18
PID 2976 wrote to memory of 2772	2976	PHOTO-DEVOCHKA.exe	18
PID 2976 wrote to memory of 2640	2976	PHOTO-DEVOCHKA.exe	19
PID 2976 wrote to memory of 2640	2976	PHOTO-DEVOCHKA.exe	19
PID 2976 wrote to memory of 2640	2976	PHOTO-DEVOCHKA.exe	19
PID 2976 wrote to memory of 2640	2976	PHOTO-DEVOCHKA.exe	19

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\yellowishfattyilobtained.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\conservationistsandother.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Crudepalmilutures.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Crudepalmilutures.bat

Filesize
715B

MD5
03eba18623b9331f83578dec7930c482

SHA1
27a9f2ce863b7dd6e897e6daec56562433f1e0fd

SHA256
41f1a182339522ac984b1276a4fdc96acc48e5d16282fb8fb8f92fc956ffb9cb

SHA512
d8e00b2337739478521fe61e557beecbc02ecce7923ea435cf3432652f5cbe2c699751a2c0178c23c096797e9d067c19349290badbb9824a6ad8348c0ec01129

Download Submit
C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\Elaeioleiferandhemar.ipa

Filesize
71B

MD5
9b3268dccd0bdadd9b1befd0c76798a1

SHA1
cc47c18947b39a560f6501c8801bdd44b0bafa2f

SHA256
713453321d24315e307a5c1f93f56f5dbd2e01d056d7b94a2a27726c7b3abf34

SHA512
c2927d27eabd4822d4dd2fb9be06b714fc40a564b1896e44ae27f392654953c1c252bd2bb2d6467c821e739f8d2968c537b267a30197a7f82857f8a8f3c06e75

Download Submit
C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\conservationistsandother.vbs

Filesize
500B

MD5
9fbb0531c4af46af59305936a6ec66be

SHA1
81ef1472a34f9c90738cfdb6cd8be71d6518de4e

SHA256
5c41e584453cfe13a7b3d2116fb0702a7e3431132ab275c9d2c3aab6319b421a

SHA512
491c5fc06c1468453c2e9998ddb9da467b1147ff035e679ce30a05b2511891d25cb0d856bb858dc1089523ce566c2a7bcf02acb03a00e2d1e02d7dc13f3ca849

Download Submit
C:\Program Files (x86)\primarily the African odfgm\Palm oil is an edible vegdfg\palm\yellowishfattyilobtained.vbs

Filesize
645B

MD5
ef69ef221195bc42cc1ccf574c7e713f

SHA1
d0d6fe3ef8060c5a7911029e32a052218d1ea2a5

SHA256
b5a51b1c65448becfc32b59be5ea7e885a085fe4cfad3c1a9494a6af16417a8e

SHA512
f0e2df84bd3e4e7db8c5e22d374d97b727311f7295504cba2353e1844e9a7216eb7165b1b2c824a7663d48f108491de51fa6a74514fafd50af940fe8099953e8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b1a83c2c02778e64afacccb5ae10c5c7

SHA1
32dbbc35a592c7fcad91b2813353b24da801cb01

SHA256
c2755cb37781c6c43ef83788ba6f6afc2fdeddc54779135daf6493b099a5215e

SHA512
2e1390d764f539ce909f9e039c2419453f8ae051f284c384bd624f77151f087e8255750a00a051cad7f2629a8b1df7c7c13b9d51260a9620e32640abdac25e15

Download Submit
memory/2976-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing