248c4005ba8acd430ae450664273576d82ea3dd40daa557a0331180eb7b37a72

General

Target

PHOTO-GOLAYA.exe
Size

238KB
MD5

2e3a85fe7f547ed4ca30b9fc131d369e
SHA1

d3daf378467bc794ec3e93f9789f128bd8041ab6
SHA256

692244bdd8b7d3161f0a39836d6595926ac2f7917cee12a2d2646737842a9a7f
SHA512

cb0fdd92fe53136137d7a77225894d8d6948c5684cceabdf194af16742a70c10042374fe75d24673e8281b4fdd0e782d3986009879f50a7c9354b40ad1001cc6
SSDEEP

3072:QBAp5XhKpN4eOyVTGfhEClj8jTk+0hijkEDboYxU044U/14+Cgw5CKHm:HbXE9OiTGfhEClq9YEXoyDjUPJJUm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	224	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	PHOTO-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1972	4068	PHOTO-GOLAYA.exe	32
PID 4068 wrote to memory of 1972	4068	PHOTO-GOLAYA.exe	32
PID 4068 wrote to memory of 1972	4068	PHOTO-GOLAYA.exe	32
PID 4068 wrote to memory of 224	4068	PHOTO-GOLAYA.exe	30
PID 4068 wrote to memory of 224	4068	PHOTO-GOLAYA.exe	30
PID 4068 wrote to memory of 224	4068	PHOTO-GOLAYA.exe	30

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
376e5445712d8c5cc0421c410b9e6304

SHA1
8e84244eb890d1b59c250cdcd809462fc8b2cda5

SHA256
cf68688d70933ccc18c5c88a6478ddaa72ac085c62eb40f84b6c002fbc6608ce

SHA512
6612785c73b1e9c155662706d4960a9badfa311154c2362e8b1f3df3f1989c7a4735c350519fdcb9149ce9af57285c34f10826e843e1fe8bd59d24993b910680

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
94B

MD5
192f4e93e60c4e559b075e5f9c2776f6

SHA1
ae3b367b8ebb97ce4d4324a951072872d16ac422

SHA256
6b85eb0052d703b4f2eef6279bc4c6ea1bca7a91ff966ee5f5c899b09e999b06

SHA512
f861f34f0e513acdcda92da757974c1bfb8624bebb10563a94c9ef02340bd264ee8267be9730ad3cec9f527c54cccc31b2a71da83369e31ac454aaae71360198

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs

Filesize
1KB

MD5
c5c2655eb75e4064684a24de4977b8fe

SHA1
d6ad9f0666b127c5284d54b4316a4450af507828

SHA256
145b951757bf065f894c8de1f6da43dce9648f00744860a8905804e9b38429d5

SHA512
0b11dc1de167efe343a201742c6e5e04aae670922fef561c50ad4c2103fee6a5e451179785f9f47b348ba2b4b52cc8a6402ea0eb232634dc9b5ad70d39f29aea

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b4434980101442bcce3e0b0f6d12d743

SHA1
1a68111eba898c9b337b1dcd8cd803e339df5335

SHA256
9e8f7c183744c28ee7e84f2804a12185b1d330e25a929dd71c1adee6f6dbfb93

SHA512
86fc9e287d669446159989e463774cba0a5105c5394231782f41fd61cb41647ab48b4d773de11e06538721c4b10900548ac328e38fbfac217927dd9f9fdf9941

Download Submit
memory/4068-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4068-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing