Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2024 09:38

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    149KB

  • MD5

    ccca394b1369e766c53346550b481c57

  • SHA1

    47dccd3fc9b7bf7c98f75fa11725089d5a977b4c

  • SHA256

    211901e1229d7b816754146ff8d7167e8a92211afe63dc44eb8056d0b054a12a

  • SHA512

    98625c9dd7cc8b57609ce20f6f295dc8704a75b49cde806ddbbb040cf3832028425bed0cd0da0c501508fabd2cdc59cd1717fa948362281848ed4ba798990712

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hisUwxgTpLnNq:AbXE9OiTGfhEClq9TwxgJn0

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4796
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\salst\ogurets\all3.vbs

    Filesize

    358B

    MD5

    559c8ec72bf701870603c0f79907234c

    SHA1

    f3a809dee961f1f3d6c5c384596504981273fd77

    SHA256

    51611da1f1bedbfc97fa015b41bc5e5ebfe61b8eb2aca050d440c642dd0c41c6

    SHA512

    6616f4ac087e1b9e6f1bff0e5d844e316cddd5a2409e97b88118410475ab1bb544d59d6006940f74cad176470bc58112608d2b7bc01e71f0b232c6cdfa551a6a

  • C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs

    Filesize

    826B

    MD5

    b0350182dcd735cf07e9c501cff5e7a1

    SHA1

    6dc80006d0d6e0e1d136826ab0e2a6c9bc61b950

    SHA256

    9659ca4ab0f584f9f3bbb5135eb0d12ebc3d24cbbdc719c7d7338f59d401f410

    SHA512

    3ba96b3082f3a98a3adc452d1f52284bd49b2d035f0fbe960738324b624b8e2a70254bbed7a7f0d29ff6f5cd756f01f29d3fbba75419d9ed652879cdf79312ea

  • C:\Program Files (x86)\salst\ogurets\podkati.bat

    Filesize

    3KB

    MD5

    a131962527d3b919e7c23267a2b0cdc4

    SHA1

    e7d2e84d765b7c2011bb91c78c93da33227dcfc8

    SHA256

    72375ee539442bf129b7ad6c3dbc68728b16a2106cef403000f26a833dd12322

    SHA512

    cfd69e3b434c9b4262b929b02e7616151f2960df56cc632f8c0e4d6e3a2f724c34db7d71e1bc984bccd9cc0a39a77e6da86cc4d675c2af0d3ae09bf981694cbc

  • C:\Program Files (x86)\salst\ogurets\polenolll.pof

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\salst\ogurets\stuckja.jol

    Filesize

    64B

    MD5

    61391af0a6e3c8f6d08b46b623eb3c2e

    SHA1

    ffe8b74b2c5920b13fabd2f203ab2c6171be663a

    SHA256

    d0a90a49e36d502e4903b5062712bca9006ae0afd349d4e9a74789eb68189685

    SHA512

    f98bbbb3602936619714dcf787c3589948291e6e7a0c69f404e8b636a3c7ce608ac400b589b828f31270c550ef28f8a741fc40d8d018e28f0fe4512d50140180

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    df9b25e7fc1b8f02d5e6348784442649

    SHA1

    4be37eed1998437e5384f5ada9d7eb686a2981fd

    SHA256

    a2007761f8fb7fc7ee27b33aea1d9a61ae67bec345507950aacd56e065fa234c

    SHA512

    c3f73b77f7b1709776d13a44249da80fa2d94b2bdcdb996552f6d7379849cf34dbd7600cb53837b89593db8f26fe5e64b2d3a542a64c0023677b8be4ec657062

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    d9a93296f8c62ab96271667c72d7a3b3

    SHA1

    abcf5a6ed773cfc978fc2176138778ad406c188a

    SHA256

    f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

    SHA512

    f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

  • memory/3100-55-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB