56d31f6ee3447e31231f740adfc9e91095bd85a561e96c3944b7485ebe9127bf

General

Target

PHOTO-GOLAYA.exe
Size

149KB
MD5

86963b99db7a9d6660798be28b910d61
SHA1

99c2e0024d8bf88f592b445d7f33fa82d19a27e1
SHA256

4d290ca6bfc7bf253d6c7e40aa8e72f664bc461953e07a0e6461e2f460d0f8ec
SHA512

ea5d866e2a0372dd5376a0e45cafe2906b1206c59b86339c9588a1c98b734ec2fcd331e9614b99857fce5f7626614dfac422ed3ba49a57082e52361b2fc33555
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hir1X1sVys8qMi6nHL2:AbXE9OiTGfhEClq9dd1I8qSn6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	3928	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\lit.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\infocars.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\inown\aboutmyside\Uninstall.ini	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\bautmyside.txt	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 3220	3936	PHOTO-GOLAYA.exe	92
PID 3936 wrote to memory of 3220	3936	PHOTO-GOLAYA.exe	92
PID 3936 wrote to memory of 3220	3936	PHOTO-GOLAYA.exe	92
PID 3220 wrote to memory of 3928	3220	cmd.exe	94
PID 3220 wrote to memory of 3928	3220	cmd.exe	94
PID 3220 wrote to memory of 3928	3220	cmd.exe	94
PID 3936 wrote to memory of 2520	3936	PHOTO-GOLAYA.exe	95
PID 3936 wrote to memory of 2520	3936	PHOTO-GOLAYA.exe	95
PID 3936 wrote to memory of 2520	3936	PHOTO-GOLAYA.exe	95

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\infocars.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs

Filesize
796B

MD5
94bebe4d23ad981994a078f69c4cb172

SHA1
c925bd18ccc8cb15efd4b4e8236711e1655ed937

SHA256
791c0b84812815dcd580d3597c4101838518a8a27f664fbc51e000bd1a7fab00

SHA512
499c078b0074598ceceb57d87d464b461a53cf1c32a6caeb01ab26c1c91f25cd010c8cbef7002ec525032145e2d319243c6f485e608cb69ace381997e07f0def

Download Submit
C:\Program Files (x86)\inown\aboutmyside\infocars.vbs

Filesize
334B

MD5
4dac2c8699edc17fbb7036ca3ec636b6

SHA1
e8a316283f5ad515a4163395442556aa41c929c7

SHA256
6e0b74f4db571a5acb966ee1dd836c61b723a59ccc31aeff28e678068b43fbdf

SHA512
4f0dc350e1e465ec609ff44e3618a57e16af6f7221072965afd70c00fe778831b869677cfc321c3bcd411885946ed486b88b5efca68729ad6bb0e0ba32932a10

Download Submit
C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life

Filesize
50B

MD5
2fbbd6510fe26068e7e81bbc7c185025

SHA1
804798609e017cf1aa1cdf39cc823f2758728301

SHA256
60cd1ca9ed0335145319ed37d63337ae5de58788e6eccf73e6f91d370f9d6240

SHA512
6e006158333d5f5b8f5ba46b921b52399866256a50fe14f340c5b44ee44f7bef096ca38f3afe3717272d5b731e041e4f656ad98c1c46ad26cdbed5d6c524b325

Download Submit
C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat

Filesize
3KB

MD5
ebd31ee99794ccbe7c3b915688758e84

SHA1
4df1ee78abf06155806771fc0a1aeeca6f62772e

SHA256
e79babef2174d2a472455a0848850d4aa759bb9870633f3a5a97e753087b3d0f

SHA512
576a6f570b8f023d113324dfc504e1d043ab108717024bbfe0f37476a6561df320007b0209c3af70d7c9654dd80e6861a1d896d019bb7b6f2977c7ee92008a94

Download Submit
C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a93296f8c62ab96271667c72d7a3b3

SHA1
abcf5a6ed773cfc978fc2176138778ad406c188a

SHA256
f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

SHA512
f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

Download Submit
memory/3936-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing