56d31f6ee3447e31231f740adfc9e91095bd85a561e96c3944b7485ebe9127bf

General

Target

PHOTO-GOLAYA.exe
Size

149KB
MD5

86963b99db7a9d6660798be28b910d61
SHA1

99c2e0024d8bf88f592b445d7f33fa82d19a27e1
SHA256

4d290ca6bfc7bf253d6c7e40aa8e72f664bc461953e07a0e6461e2f460d0f8ec
SHA512

ea5d866e2a0372dd5376a0e45cafe2906b1206c59b86339c9588a1c98b734ec2fcd331e9614b99857fce5f7626614dfac422ed3ba49a57082e52361b2fc33555
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hir1X1sVys8qMi6nHL2:AbXE9OiTGfhEClq9dd1I8qSn6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2468	WScript.exe
5	2468	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\infocars.vbs	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\inown\aboutmyside\Uninstall.ini	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\lit.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\bautmyside.txt	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\Uninstall.exe	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2632	2660	PHOTO-GOLAYA.exe	28
PID 2660 wrote to memory of 2632	2660	PHOTO-GOLAYA.exe	28
PID 2660 wrote to memory of 2632	2660	PHOTO-GOLAYA.exe	28
PID 2660 wrote to memory of 2632	2660	PHOTO-GOLAYA.exe	28
PID 2632 wrote to memory of 2468	2632	cmd.exe	30
PID 2632 wrote to memory of 2468	2632	cmd.exe	30
PID 2632 wrote to memory of 2468	2632	cmd.exe	30
PID 2632 wrote to memory of 2468	2632	cmd.exe	30
PID 2660 wrote to memory of 2488	2660	PHOTO-GOLAYA.exe	31
PID 2660 wrote to memory of 2488	2660	PHOTO-GOLAYA.exe	31
PID 2660 wrote to memory of 2488	2660	PHOTO-GOLAYA.exe	31
PID 2660 wrote to memory of 2488	2660	PHOTO-GOLAYA.exe	31

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\infocars.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs

Filesize
796B

MD5
94bebe4d23ad981994a078f69c4cb172

SHA1
c925bd18ccc8cb15efd4b4e8236711e1655ed937

SHA256
791c0b84812815dcd580d3597c4101838518a8a27f664fbc51e000bd1a7fab00

SHA512
499c078b0074598ceceb57d87d464b461a53cf1c32a6caeb01ab26c1c91f25cd010c8cbef7002ec525032145e2d319243c6f485e608cb69ace381997e07f0def

Download Submit
C:\Program Files (x86)\inown\aboutmyside\infocars.vbs

Filesize
334B

MD5
4dac2c8699edc17fbb7036ca3ec636b6

SHA1
e8a316283f5ad515a4163395442556aa41c929c7

SHA256
6e0b74f4db571a5acb966ee1dd836c61b723a59ccc31aeff28e678068b43fbdf

SHA512
4f0dc350e1e465ec609ff44e3618a57e16af6f7221072965afd70c00fe778831b869677cfc321c3bcd411885946ed486b88b5efca68729ad6bb0e0ba32932a10

Download Submit
C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life

Filesize
50B

MD5
2fbbd6510fe26068e7e81bbc7c185025

SHA1
804798609e017cf1aa1cdf39cc823f2758728301

SHA256
60cd1ca9ed0335145319ed37d63337ae5de58788e6eccf73e6f91d370f9d6240

SHA512
6e006158333d5f5b8f5ba46b921b52399866256a50fe14f340c5b44ee44f7bef096ca38f3afe3717272d5b731e041e4f656ad98c1c46ad26cdbed5d6c524b325

Download Submit
C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat

Filesize
3KB

MD5
ebd31ee99794ccbe7c3b915688758e84

SHA1
4df1ee78abf06155806771fc0a1aeeca6f62772e

SHA256
e79babef2174d2a472455a0848850d4aa759bb9870633f3a5a97e753087b3d0f

SHA512
576a6f570b8f023d113324dfc504e1d043ab108717024bbfe0f37476a6561df320007b0209c3af70d7c9654dd80e6861a1d896d019bb7b6f2977c7ee92008a94

Download Submit
C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
44ccd2e0f82c735fbef30c341d6bfc10

SHA1
8cc305f7f8fff401380175ae0cc7d0df99b83373

SHA256
d29b19381fbf3494195232c63a36e6a9d38de4e2db3e80ae3f007a36e9674db3

SHA512
8627b9c13415f5d9c917692281f2a33aa4286f0a50b0d08933ca663cd6cc12fb17256a2270ff283dd497661001b6c06f3d16e889215821659fa24ede367dfe07

Download Submit
memory/2660-71-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing