5f9ea23903eb6da0187716e061aa41f0f880828fb516b6806712f5bcde266a67

General

Target

PHOTO-GOLAYA.exe
Size

149KB
MD5

5e337da135d63887a756e2cba5fcc0c8
SHA1

c367eaa24241c19410bbbe2ff4d2c39d4cdd1990
SHA256

d9d056c7d128ec893e43a4c7b315e9437629f851f51aee6d366c1022a48bdff1
SHA512

54b3a00c9317c2d5ea338a2450e655dd5c822531c97bb8cd164272a10650421676c1ea9634de1ed2c9454885b04653773235c605f95befb7d848eef6779c0172
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hijeF9RCyllP:AbXE9OiTGfhEClq949vD

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
34	1096	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Produc\New\poppets.txt	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nuashks.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nadopilitsa.nabazu	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nadopilitsa.vbs	cmd.exe
File created	C:\Program Files (x86)\Produc\New\nadopilitsa.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nevedomaya.hernya	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\samisok.vbs	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\Produc\New\Uninstall.ini	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2912	1764	PHOTO-GOLAYA.exe	94
PID 1764 wrote to memory of 2912	1764	PHOTO-GOLAYA.exe	94
PID 1764 wrote to memory of 2912	1764	PHOTO-GOLAYA.exe	94
PID 2912 wrote to memory of 1096	2912	cmd.exe	96
PID 2912 wrote to memory of 1096	2912	cmd.exe	96
PID 2912 wrote to memory of 1096	2912	cmd.exe	96
PID 1764 wrote to memory of 796	1764	PHOTO-GOLAYA.exe	97
PID 1764 wrote to memory of 796	1764	PHOTO-GOLAYA.exe	97
PID 1764 wrote to memory of 796	1764	PHOTO-GOLAYA.exe	97

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Produc\New\nuashks.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\nadopilitsa.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\samisok.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Produc\New\nadopilitsa.vbs

Filesize
269B

MD5
f8e76085c4bab58dcb161028c3aae9c9

SHA1
764af0a064b08e40beeab421df76d3c7fb389c75

SHA256
e7388abfc5e55e53c9a06f74e6000107b15641c3d99fe89d9f990584049b4ad6

SHA512
7c557fdee8163233be08a494955b02af789d37fefc5429b966079c83950f4b79ec50c7f521ba0cc72cb762c300ab96ce72c1bc90a3eca6eeed67e1a2614a8b61

Download Submit
C:\Program Files (x86)\Produc\New\nevedomaya.hernya

Filesize
48B

MD5
7215ed14e21d41517551593a906dfa9e

SHA1
572ec6424f46b19e5b1a0ebcb58df8efadaa37aa

SHA256
248f4f03a3bac68d3f2231e72dcdb82d16ba4a49631306e231200c36a4d7d6b6

SHA512
c81fcc628b6178017cacdbf7c57b5bd3304ea1e6a43b4c8164082f6d701f7f03c16d3026b011819ee76cb4609ca8c00e70566382cd839fba9fe714e1d0a1f7e5

Download Submit
C:\Program Files (x86)\Produc\New\nuashks.bat

Filesize
3KB

MD5
c151e8a63db1332daeaf336c6767f918

SHA1
3c41d44604d19b3ce2bb9a1971a94ebf2a1f50bd

SHA256
c9f0675570ce4487e3b60e2b3e5433ad76c0ec354a41d8135fb0318e40f39e95

SHA512
bb483dc05f7eeb6e6a73c76d6bf95e1e322b609d759dee27c5e21b682d8c249b3e60cc25f7f47ee152f0b8eccea90252daed9235153e3258423221c233f80c44

Download Submit
C:\Program Files (x86)\Produc\New\poppets.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Produc\New\samisok.vbs

Filesize
740B

MD5
152fab0ac0684c4b7383883ecb4c42f7

SHA1
dc2487afd2302751686b5f7af5ec65ecd05c75c5

SHA256
d28c1370bce14ca6aa38e81d6c6deb3e43b04849bead1795d940c1e59f2cde4d

SHA512
da52cafc25583799b8138044cfd25f0cc66c7d01b1cf369b8960c1865d9a6a348be0ee90b417ad72455f3919f7553ef4db971c7ff56855b40bf4d772ba8efee3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a93296f8c62ab96271667c72d7a3b3

SHA1
abcf5a6ed773cfc978fc2176138778ad406c188a

SHA256
f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

SHA512
f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

Download Submit
memory/1764-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1764-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing