df014709a8958a09bae2dcf30f1abd241f5c5def6e400ffa4cadbcb7beb77014

General

Target

PHOTO-DEVOCHKA.exe
Size

180KB
MD5

f28c1e58c5766a111297588e8ab02361
SHA1

3d55a55fd6d193d32742fe89bf6041f9182ee447
SHA256

6e239da433517b0856f91d212baebdf1963d80ba6c546a440da19121580818ca
SHA512

e09add020c39a8fa5b14f094679daa9d0645f4c0fe39a33194e9c4c3cdadee05986904084387437203387d97be4381c9714e47451aff01e6a7e6fcb5ec9797fd
SSDEEP

3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0hL/eSZZvLf6CNsPrXJ8WYQKaLba:JbXE9OiTGfhEClq90GSZZvLCCNsPrXJa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2792	WScript.exe
7	2792	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2552	2336	PHOTO-DEVOCHKA.exe	27
PID 2336 wrote to memory of 2552	2336	PHOTO-DEVOCHKA.exe	27
PID 2336 wrote to memory of 2552	2336	PHOTO-DEVOCHKA.exe	27
PID 2336 wrote to memory of 2552	2336	PHOTO-DEVOCHKA.exe	27
PID 2336 wrote to memory of 2680	2336	PHOTO-DEVOCHKA.exe	29
PID 2336 wrote to memory of 2680	2336	PHOTO-DEVOCHKA.exe	29
PID 2336 wrote to memory of 2680	2336	PHOTO-DEVOCHKA.exe	29
PID 2336 wrote to memory of 2680	2336	PHOTO-DEVOCHKA.exe	29
PID 2336 wrote to memory of 2792	2336	PHOTO-DEVOCHKA.exe	30
PID 2336 wrote to memory of 2792	2336	PHOTO-DEVOCHKA.exe	30
PID 2336 wrote to memory of 2792	2336	PHOTO-DEVOCHKA.exe	30
PID 2336 wrote to memory of 2792	2336	PHOTO-DEVOCHKA.exe	30

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
fc2fcf4351f2aded0dada73e9f8d576f

SHA1
7b6e794c9366485a36e06eafb01d0f4a4d8691bf

SHA256
b0836c3e971d44ab408e6a809a891c3818ee80329f26af232295ef8518c9ba91

SHA512
4c673179d008c12685d282429afa89f477306624c473cc9475b90e09b58a69eee871cb26533d11f6c39c15a3693dd28ee3684dfed737f0b65c268842d1c24331

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
923B

MD5
7e250a4c3a7a6449119c02ffa9152fb3

SHA1
3d9e376ebd79cdcdf4545d2517e24bf4cc0ae3e5

SHA256
572ccd595ec789cc3c56de893214e2b102aaade4cf791b1df1a9d5d478343ce1

SHA512
ffa60a58dffeb27f9aa50e2e203ce817ec7af4bc29bb50cbe47e21ffa15d68afb15d517140ac1242e6604588adc3a205f0036eb2a45008d5d153e721a695fc17

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
700B

MD5
d00588d055e55ec3c9b932160f5d8871

SHA1
4ab42990617c4a65186da8b02c0029b38a4d6022

SHA256
ad14702ab903328311dfa29ac20ea72344153a92d4c5e26f46fa00b8c244f1aa

SHA512
fed047bd84641dfb44c4093e24f3e983f7f69f9e604bc1dae4156daf3b395855fa0d32f611df216cc05c599f0f7cf7daf5bb9da781a5890328d5bb1c83db8e91

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
25ee27baa31c59fdf6cf5d18955ef985

SHA1
51d4725afa6d997cb7347c60a7d17485a8fb2ea7

SHA256
75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d

SHA512
8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

Download Submit
memory/2336-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing