a1c80ca855a6eda478736c59211b1a6d08c551dd8cf994cff40d0a4796a1a090

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RUSSKAYA-GOLAYA.exe
Size

180KB
MD5

2e7d20079b41b69b3b16ecbd895be189
SHA1

c63b1f1a9ec96ca7b0fc0d92bc082593e1df85e0
SHA256

8aac418dfae104c626385ba620705f3d8f83ad9753020474a7fd41db3e808fc6
SHA512

ab1326e5b177a7d32f7d97c0d3efce235df0da4d2b2faf40528fe399e0adccb6e7c67c2aac07f15294be6c23f12b966c9fc3135d9b8f561e99f10a5ad98532e9
SSDEEP

3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0h6eXmUS:+bXE9OiTGfhEClq9deXY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1388	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	RUSSKAYA-GOLAYA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	RUSSKAYA-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3920	2464	RUSSKAYA-GOLAYA.exe	93
PID 2464 wrote to memory of 3920	2464	RUSSKAYA-GOLAYA.exe	93
PID 2464 wrote to memory of 3920	2464	RUSSKAYA-GOLAYA.exe	93
PID 2464 wrote to memory of 2148	2464	RUSSKAYA-GOLAYA.exe	95
PID 2464 wrote to memory of 2148	2464	RUSSKAYA-GOLAYA.exe	95
PID 2464 wrote to memory of 2148	2464	RUSSKAYA-GOLAYA.exe	95
PID 2464 wrote to memory of 1388	2464	RUSSKAYA-GOLAYA.exe	96
PID 2464 wrote to memory of 1388	2464	RUSSKAYA-GOLAYA.exe	96
PID 2464 wrote to memory of 1388	2464	RUSSKAYA-GOLAYA.exe	96

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat

Filesize
1KB

MD5
9d139d064933d01879a44984a43c0346

SHA1
81f546bb8d23151c07748f49d6d4f6e46bc3aca0

SHA256
2dcfbfd5c623fe341803f8be6ef66be4403af553c9312d46394e68f376c65467

SHA512
7765c000154d7af286dd8615640693b3be11f89f9d8001fa635c1e4cb12163f4dd97b481430f53b766fd1e551c6ff76499414732a51bd7f8a406d4c7ed669e8d

Download Submit
C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs

Filesize
832B

MD5
df76155dbd96ed3fba4dae39b11d380a

SHA1
b92763f66c212d74ce657d7063b12f037f71911f

SHA256
cec520a813dad4bbb36f79d09034dbd2a27fd42d6a26a3697c781600e8b179d7

SHA512
6f97a45b6042a1654c85bc9e2c2e6e65c94345a7e77dac442ef20052e0a15adc8f60af2664b3c034d99dd97d46f276183ce80beefc29fd22d6c4de791a93f0b9

Download Submit
C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs

Filesize
620B

MD5
e3a6c856222acceb9bbb3f521b2d6f8a

SHA1
cafca047a208fe189513d7c206b453778d0564e1

SHA256
994947db4656545c01196676f84e8c1d866938e22986db53792a01c112955559

SHA512
bfed69e1c2bde450910651f699474ecaf022bef888db008a51f7ac60c0bba727faf3d5cb9261edc29a781d7791e2a8a5db317edeb4d8996909cf778bc2d429a3

Download Submit
C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot

Filesize
34B

MD5
aa5511a167a67e429a9fdf3ac25bce0e

SHA1
8ac961be922cdc3314ed342e809d68637e9ea1f2

SHA256
bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

SHA512
736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

Download Submit
memory/2464-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download