04082b328e22f00b2d15aaac46a69dc211d49816e1641be0c3a803c1d0443b35

General

Target

PHOTO-DEVOCHKA.exe
Size

180KB
MD5

63f222fa3dec54c99fa71bfbef798cab
SHA1

a6aa7dca45be30f5f1f0a2c0cf24c15637fe33f4
SHA256

47bfc569cb27c9596d81d144a9af37d5f378dcdaf73d6c416b86362739354b8f
SHA512

75c8086cd6dce1433e426f8f65d893130847b0ded224a4c6f26ebc6ee1ef9a33299da4f8902067697717b3cd8e4a855018929fb8d562c9581e79d023ae46e2df
SSDEEP

3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0h+tzYOuIPA:1bXE9OiTGfhEClq9dYpII

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	5332	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	PHOTO-DEVOCHKA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	PHOTO-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 388	3472	PHOTO-DEVOCHKA.exe	91
PID 3472 wrote to memory of 388	3472	PHOTO-DEVOCHKA.exe	91
PID 3472 wrote to memory of 388	3472	PHOTO-DEVOCHKA.exe	91
PID 3472 wrote to memory of 3088	3472	PHOTO-DEVOCHKA.exe	93
PID 3472 wrote to memory of 3088	3472	PHOTO-DEVOCHKA.exe	93
PID 3472 wrote to memory of 3088	3472	PHOTO-DEVOCHKA.exe	93
PID 3472 wrote to memory of 5332	3472	PHOTO-DEVOCHKA.exe	94
PID 3472 wrote to memory of 5332	3472	PHOTO-DEVOCHKA.exe	94
PID 3472 wrote to memory of 5332	3472	PHOTO-DEVOCHKA.exe	94

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat

Filesize
2KB

MD5
56a64e3d2dabea79062ebd37c2695b87

SHA1
d3a7b4e9e3493c0c46bddb3973573511fc314ff9

SHA256
07ba63c69713fa2e4467e82eedc9c5eafd795ec3b85f1f38a9d3d4669cb4fba9

SHA512
260e82f73839361cc59a40c35ade0658d9ea22dd7b9af1a2937206bab77729ed9776e65765f521ee69cb6dde61d1dd8f0ba645ddc82440625f93b11c96928e7b

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs

Filesize
895B

MD5
86ec234776348de7a66694604c483902

SHA1
761269b17829cd99955ca44b9d198d26b3532a7e

SHA256
b04079e6d07e7788fb3ae4aade8eb6ea11de6e8582e724cb349be30551a0f5bc

SHA512
6dc3f64dd4194eb635a8e791599de7bcf52ab275b46efac9c1c90b28b9669adc8f552680dee6cafb5ebe9af1f5f42f0c31159472dfae8b0e879d17b9a05bc5fa

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs

Filesize
611B

MD5
49386cb3be62579eaa9d21cd8f528c7d

SHA1
c2f47fe4e27c663a62190ab454434a3b21070597

SHA256
7838e77610ed9f0affd067cd57c610ee4af33411b286b3a24ad60f18135d6289

SHA512
23d6cdd86d6c2767e43b8cc79814e6663f376c017694ecc16f971fac140650e02b11a45f247ac302d70489ea9918a365a589f45025581ebc2b9a73b120fb34d8

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot

Filesize
34B

MD5
aa5511a167a67e429a9fdf3ac25bce0e

SHA1
8ac961be922cdc3314ed342e809d68637e9ea1f2

SHA256
bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

SHA512
736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c0805e6fff9d30c65b91bc9284beac8e

SHA1
45456e27d6632159ed7e4403caa1a16721c3b603

SHA256
53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

SHA512
34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

Download Submit
memory/3472-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing