248c4005ba8acd430ae450664273576d82ea3dd40daa557a0331180eb7b37a72

General

Target

PHOTO-GOLAYA.exe
Size

238KB
MD5

2e3a85fe7f547ed4ca30b9fc131d369e
SHA1

d3daf378467bc794ec3e93f9789f128bd8041ab6
SHA256

692244bdd8b7d3161f0a39836d6595926ac2f7917cee12a2d2646737842a9a7f
SHA512

cb0fdd92fe53136137d7a77225894d8d6948c5684cceabdf194af16742a70c10042374fe75d24673e8281b4fdd0e782d3986009879f50a7c9354b40ad1001cc6
SSDEEP

3072:QBAp5XhKpN4eOyVTGfhEClj8jTk+0hijkEDboYxU044U/14+Cgw5CKHm:HbXE9OiTGfhEClq9YEXoyDjUPJJUm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2708	WScript.exe
5	2708	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2712	2020	PHOTO-GOLAYA.exe	28
PID 2020 wrote to memory of 2712	2020	PHOTO-GOLAYA.exe	28
PID 2020 wrote to memory of 2712	2020	PHOTO-GOLAYA.exe	28
PID 2020 wrote to memory of 2712	2020	PHOTO-GOLAYA.exe	28
PID 2020 wrote to memory of 2708	2020	PHOTO-GOLAYA.exe	30
PID 2020 wrote to memory of 2708	2020	PHOTO-GOLAYA.exe	30
PID 2020 wrote to memory of 2708	2020	PHOTO-GOLAYA.exe	30
PID 2020 wrote to memory of 2708	2020	PHOTO-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
376e5445712d8c5cc0421c410b9e6304

SHA1
8e84244eb890d1b59c250cdcd809462fc8b2cda5

SHA256
cf68688d70933ccc18c5c88a6478ddaa72ac085c62eb40f84b6c002fbc6608ce

SHA512
6612785c73b1e9c155662706d4960a9badfa311154c2362e8b1f3df3f1989c7a4735c350519fdcb9149ce9af57285c34f10826e843e1fe8bd59d24993b910680

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
94B

MD5
192f4e93e60c4e559b075e5f9c2776f6

SHA1
ae3b367b8ebb97ce4d4324a951072872d16ac422

SHA256
6b85eb0052d703b4f2eef6279bc4c6ea1bca7a91ff966ee5f5c899b09e999b06

SHA512
f861f34f0e513acdcda92da757974c1bfb8624bebb10563a94c9ef02340bd264ee8267be9730ad3cec9f527c54cccc31b2a71da83369e31ac454aaae71360198

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll

Filesize
1KB

MD5
c5c2655eb75e4064684a24de4977b8fe

SHA1
d6ad9f0666b127c5284d54b4316a4450af507828

SHA256
145b951757bf065f894c8de1f6da43dce9648f00744860a8905804e9b38429d5

SHA512
0b11dc1de167efe343a201742c6e5e04aae670922fef561c50ad4c2103fee6a5e451179785f9f47b348ba2b4b52cc8a6402ea0eb232634dc9b5ad70d39f29aea

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
07747e26ea3ffd06b1e9825864be253c

SHA1
97b8ae03f2a4835ba0cef297bd1582aa2eebb983

SHA256
13e54f2ba2925d259803f92c44c26c3b1739f6340087475159bb140eed3a2f32

SHA512
619747f33df62d66437c874ba60ed33c8a178127ea763388b816bf7b3e332e94c612f6360fd23e008256c73b70b4660278578c2758ad09ae544e10736f8d6b8d

Download Submit
memory/2020-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2020-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing