04082b328e22f00b2d15aaac46a69dc211d49816e1641be0c3a803c1d0443b35

General

Target

PHOTO-DEVOCHKA.exe
Size

180KB
MD5

63f222fa3dec54c99fa71bfbef798cab
SHA1

a6aa7dca45be30f5f1f0a2c0cf24c15637fe33f4
SHA256

47bfc569cb27c9596d81d144a9af37d5f378dcdaf73d6c416b86362739354b8f
SHA512

75c8086cd6dce1433e426f8f65d893130847b0ded224a4c6f26ebc6ee1ef9a33299da4f8902067697717b3cd8e4a855018929fb8d562c9581e79d023ae46e2df
SSDEEP

3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0h+tzYOuIPA:1bXE9OiTGfhEClq9dYpII

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2732	WScript.exe
5	2732	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2132	1624	PHOTO-DEVOCHKA.exe	28
PID 1624 wrote to memory of 2132	1624	PHOTO-DEVOCHKA.exe	28
PID 1624 wrote to memory of 2132	1624	PHOTO-DEVOCHKA.exe	28
PID 1624 wrote to memory of 2132	1624	PHOTO-DEVOCHKA.exe	28
PID 1624 wrote to memory of 2128	1624	PHOTO-DEVOCHKA.exe	30
PID 1624 wrote to memory of 2128	1624	PHOTO-DEVOCHKA.exe	30
PID 1624 wrote to memory of 2128	1624	PHOTO-DEVOCHKA.exe	30
PID 1624 wrote to memory of 2128	1624	PHOTO-DEVOCHKA.exe	30
PID 1624 wrote to memory of 2732	1624	PHOTO-DEVOCHKA.exe	31
PID 1624 wrote to memory of 2732	1624	PHOTO-DEVOCHKA.exe	31
PID 1624 wrote to memory of 2732	1624	PHOTO-DEVOCHKA.exe	31
PID 1624 wrote to memory of 2732	1624	PHOTO-DEVOCHKA.exe	31

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2128
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat

Filesize
2KB

MD5
56a64e3d2dabea79062ebd37c2695b87

SHA1
d3a7b4e9e3493c0c46bddb3973573511fc314ff9

SHA256
07ba63c69713fa2e4467e82eedc9c5eafd795ec3b85f1f38a9d3d4669cb4fba9

SHA512
260e82f73839361cc59a40c35ade0658d9ea22dd7b9af1a2937206bab77729ed9776e65765f521ee69cb6dde61d1dd8f0ba645ddc82440625f93b11c96928e7b

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs

Filesize
895B

MD5
86ec234776348de7a66694604c483902

SHA1
761269b17829cd99955ca44b9d198d26b3532a7e

SHA256
b04079e6d07e7788fb3ae4aade8eb6ea11de6e8582e724cb349be30551a0f5bc

SHA512
6dc3f64dd4194eb635a8e791599de7bcf52ab275b46efac9c1c90b28b9669adc8f552680dee6cafb5ebe9af1f5f42f0c31159472dfae8b0e879d17b9a05bc5fa

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs

Filesize
611B

MD5
49386cb3be62579eaa9d21cd8f528c7d

SHA1
c2f47fe4e27c663a62190ab454434a3b21070597

SHA256
7838e77610ed9f0affd067cd57c610ee4af33411b286b3a24ad60f18135d6289

SHA512
23d6cdd86d6c2767e43b8cc79814e6663f376c017694ecc16f971fac140650e02b11a45f247ac302d70489ea9918a365a589f45025581ebc2b9a73b120fb34d8

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot

Filesize
34B

MD5
aa5511a167a67e429a9fdf3ac25bce0e

SHA1
8ac961be922cdc3314ed342e809d68637e9ea1f2

SHA256
bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

SHA512
736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
25ee27baa31c59fdf6cf5d18955ef985

SHA1
51d4725afa6d997cb7347c60a7d17485a8fb2ea7

SHA256
75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d

SHA512
8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

Download Submit
memory/1624-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing