51e4783d6b7aa4e27c7a42beae9ba0dd453ac52648452f4a9b685c79492d6d5c

General

Target

PHOTO-DEVOCHKA.exe
Size

239KB
MD5

9ea5d4e300dd6c096812711fa3c677d2
SHA1

91ae3f2c828d65fc1d862abda77c875a433a09f8
SHA256

fa673f26eca0e92ae23fd52290a15fed2115c3cce647c93a9d52a069d3f82aaa
SHA512

807886572612c5593192318f2ac65fc0d42a77989ac86ccfd730b9544f5fb14fb4aa54aa10bbc7c0f76cde779149da8662d5abba173a503fd942f9669985949e
SSDEEP

3072:7BAp5XhKpN4eOyVTGfhEClj8jTk+0hWmKlv+Cgw5CKHK:mbXE9OiTGfhEClq9PTQJJUK

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2608	WScript.exe
5	2608	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.ini	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2676	3032	PHOTO-DEVOCHKA.exe	28
PID 3032 wrote to memory of 2676	3032	PHOTO-DEVOCHKA.exe	28
PID 3032 wrote to memory of 2676	3032	PHOTO-DEVOCHKA.exe	28
PID 3032 wrote to memory of 2676	3032	PHOTO-DEVOCHKA.exe	28
PID 3032 wrote to memory of 2608	3032	PHOTO-DEVOCHKA.exe	30
PID 3032 wrote to memory of 2608	3032	PHOTO-DEVOCHKA.exe	30
PID 3032 wrote to memory of 2608	3032	PHOTO-DEVOCHKA.exe	30
PID 3032 wrote to memory of 2608	3032	PHOTO-DEVOCHKA.exe	30

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat

Filesize
1KB

MD5
1d630a66e3655ad156c69cc47f6a12c4

SHA1
f2bca046862413bfa17cfe5e4b9389f1c05e0bc5

SHA256
43dd8c4612facfe75f5d32a2f011d41ef79bd447d693f804e1b4a8addfea2dae

SHA512
088beeb03c755a617683f847670a368ee437d5ea115388df9143e993a2116f5eb2a85e761bc326915b4f21c6d348051117c7fbe1d5fe21052cc665890dab8636

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua

Filesize
1KB

MD5
34a3c10d2b8c22e546326a2b43150131

SHA1
d7f091985da68e91f0ba8a067aaa5d9b39b8bf97

SHA256
06c5ccc9ac6787d5d68840c75fd0eff5ac4efb242640e3d6d00517c65870a0f5

SHA512
db189cf8719cdd507c3dcd797aef9b6641c5ca6430d8ca54debe0a38b6a469604cd14414c8fa05501552437affb1d3ab5cadc89b9e7d82d1bfbc691182b5cd3a

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro

Filesize
87B

MD5
2048e7f377827684952eac6638737664

SHA1
177f0e8e28f88204df60059d64c6ec3bc108a673

SHA256
e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

SHA512
624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
876c58a010e3783aabbe07379cde0ceb

SHA1
9c575ffe423996c781b7ded17791bfb7d6e161f1

SHA256
68805ab47d88db2bd07456ac670c31a3484757d5daaeb4088a8a48ae8af760ee

SHA512
3340ab50fea94f0d956117a420e4b53efddbe023beb0db762abd89d4f6ddfe7577cd6afa164f4f13de880001d54dd345009af5b376066034be68af9edcf3f06f

Download Submit
memory/3032-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3032-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing