Overview

overview

8

Static

static

3

PHOTO-DEVOCHKA.exe

windows7-x64

8

PHOTO-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-DEVOCHKA.exe

  • Size

    149KB

  • MD5

    ff086d0d59b161c9b6c042e902323622

  • SHA1

    a5533ae498366582e9b08cc28821ffd1e00f92a7

  • SHA256

    abdc11a0da5cdc6e005a8fa09cf6398ec337cf7801cf5231e50e987345812ea3

  • SHA512

    c779d69cad19597bf9a619d6f4599d7df4219d77e6144ee694c5076db56013e34781a691d93e6caac15a861b404bc1c15fdce8e70cb02b90ed7a0cc7015738a6

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hieh/zn7BWR:AbXE9OiTGfhEClq9Mh/zn4R

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Produc\New\nuashks.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\nadopilitsa.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1404
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\samisok.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Produc\New\nadopilitsa.vbs
    Filesize

    263B

    MD5

    8affe5f3cc3622a72b17ba1861da99af

    SHA1

    f2b7ad55d7e0168ae48f6e736560eccbf2a8b955

    SHA256

    2fa050fa8d290bd8e82a5eb68acdf60b7a69c2cd6ad84a48db4d4ec2330bc742

    SHA512

    f83cb16172fa07b340f5e36a21d442f0725006293a931b5861c44e43ac84351b40838b40937c3f1784a6e292c40f91df5c0e2ce3d3e6894757e1469b225c25d8

    Download Submit

  • C:\Program Files (x86)\Produc\New\nevedomaya.hernya
    Filesize

    48B

    MD5

    7215ed14e21d41517551593a906dfa9e

    SHA1

    572ec6424f46b19e5b1a0ebcb58df8efadaa37aa

    SHA256

    248f4f03a3bac68d3f2231e72dcdb82d16ba4a49631306e231200c36a4d7d6b6

    SHA512

    c81fcc628b6178017cacdbf7c57b5bd3304ea1e6a43b4c8164082f6d701f7f03c16d3026b011819ee76cb4609ca8c00e70566382cd839fba9fe714e1d0a1f7e5

    Download Submit

  • C:\Program Files (x86)\Produc\New\nuashks.bat
    Filesize

    3KB

    MD5

    301b2cca659b0b0e9ce48260d2cf0c16

    SHA1

    c1fd6cd76c4db862aa9550b2300f8fe960906f2b

    SHA256

    35e4e941f3273ecca02b2c808d094eb0e165cd0d14433f1841990d6a93257f35

    SHA512

    1065d922ac195777c427e07c06a70db43b10ba096c3d2919b8dbab0b04b11b581a1c2b9081566d8e01af031ca78f26ff1795c5544b70ed6fbe6c7d266133acbf

    Download Submit

  • C:\Program Files (x86)\Produc\New\poppets.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\Produc\New\samisok.vbs
    Filesize

    810B

    MD5

    df166046c6da51ce4a90b0b7db6ef5a0

    SHA1

    14d786fe25a3905b1743973c7f9989a379f1433f

    SHA256

    ba65b8fdade56e9d32701aeaeb737ecca78a55917084e8a0f55088e55ba4fa7c

    SHA512

    2838a7c2ed28c362b7af6548d7437cd7a77c8b4b6f010305faeee37b7aa592e34a1b6e79cc4f3de0c5539f30dc6263f74dd827fbede41a8f1774d8f732dfb19d

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    d9a93296f8c62ab96271667c72d7a3b3

    SHA1

    abcf5a6ed773cfc978fc2176138778ad406c188a

    SHA256

    f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

    SHA512

    f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

    Download Submit

  • memory/1492-57-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download