c02521bc8b65ad32c16bc60b47c64bd7ec41b28419087024b3983e691471140c

General

Target

PHOTO-DEVOCHKA.exe
Size

180KB
MD5

fdc849111653249dd6ebe00d6d293760
SHA1

ece8bcb2bd22dfbe218e8c9104d2813bc624ec31
SHA256

538b9ff9b6e06025b93fa25ebbf7d06f7280813b97e826b7413981ae543d7429
SHA512

83e22626e4c46324d2d0cc60a545e4341123aeca1d96c9d23925e441cda137bfbb3ff463acba3514a896d9fb8851ffdf63248f628fed14e0df07b3e013c64866
SSDEEP

3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0hg/eSZZvLf6CNsPrXJ8WYQKaLl:+bXE9OiTGfhEClq9vGSZZvLCCNsPrXJh

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
36	3848	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PHOTO-DEVOCHKA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Elaeioleiferandhemar.ipa	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	PHOTO-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 5076	412	PHOTO-DEVOCHKA.exe	99
PID 412 wrote to memory of 5076	412	PHOTO-DEVOCHKA.exe	99
PID 412 wrote to memory of 5076	412	PHOTO-DEVOCHKA.exe	99
PID 412 wrote to memory of 4000	412	PHOTO-DEVOCHKA.exe	101
PID 412 wrote to memory of 4000	412	PHOTO-DEVOCHKA.exe	101
PID 412 wrote to memory of 4000	412	PHOTO-DEVOCHKA.exe	101
PID 412 wrote to memory of 3848	412	PHOTO-DEVOCHKA.exe	102
PID 412 wrote to memory of 3848	412	PHOTO-DEVOCHKA.exe	102
PID 412 wrote to memory of 3848	412	PHOTO-DEVOCHKA.exe	102

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:5076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Crudepalmilutures.bat

Filesize
618B

MD5
95df14b25a47ba59c8c55ae624260575

SHA1
680ff195daaed58014e59cf89d4626b4a68ab8a4

SHA256
97e108f9a7186f2c87c37410f8bd63adf51eff8320a1781bd2da47f761a35895

SHA512
50d923c6356acb1c210a34423f44ef18bd97ca755da39c191335d72e03d37d5220b997e061316485c341d48de1186c990280458306ebb59e9a16d5167ea60440

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\Elaeioleiferandhemar.ipa

Filesize
74B

MD5
a53a5a1f903850e67c4009f69cab52df

SHA1
5b5c3a9ceb8d3d589bb547e4828ee5aa5ad2d251

SHA256
87b2b49c62d2b891333b6e211e81fe8c07259639baa20f2fecea09034f857924

SHA512
936b05b93daf666b808782b80a46fa85a7e1b43dae813759c9e5c0f80aae9769ee1d196c5be53528d9966de6c3f834aa8a06d1e4350efeb04e41eeac7f796875

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\conservationistsandother.vbs

Filesize
493B

MD5
8431f160c6a617cb24571d81b5174dbc

SHA1
75efd043ba0c106de481e0f26e39c0ad8acdb74e

SHA256
e2f37d318f2009a54cf5a0ddbb20734506c96cfe8a7e3a30f89453b4814f0871

SHA512
82c963916389ae787fa5061ba9dcf36ebca785bab3850aa19070c21de2037b0f40f0b2e6888247755bd29920fa5fbf9e7ce1c80a59a249888e8ecdde836922ca

Download Submit
C:\Program Files (x86)\primarily the African oil palm\Palm oil is an edible vegetable\palm\yellowishfattyilobtained.vbs

Filesize
625B

MD5
ccfc768d46340bcfb9008809574ec464

SHA1
3d5b301a993eb1f5337829972f4c00cb416286fb

SHA256
aed09b8a54524d57146b6820d0b1bb4c0ee9c3ed63b9653b51cb989888335412

SHA512
cab7625f46269fb26431a978dbb37d71f5295fa3beef46aa38c6f6abf7ee97bdd4ceb726d7e2462df740bb12e4ba763a0cc232d3bf525934149deb895a715db4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b39b3c6e849da2757406331d12729746

SHA1
3974776133b06047b01a16c818024e4d363ef1df

SHA256
8f7a294349bd802db8991a3246f0d3153ff993e593249398f0b1342f97a49487

SHA512
b995db81214a871c92cac59a0e4a569be016c35bd6a571d7f1bbbcc0535ffb99f480e04fdff8af00bb7a172efe104d138c6153c2b20d8833c11209effb161e58

Download Submit
memory/412-3-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/412-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing