0ef5560cbb8dc0e1b528fec92d1c92c4aa3edd0e7c2f2e12fde23237bbebb1b3

General

Target

RUSSKAYA-GOLAYA.exe
Size

240KB
MD5

934d29283079d878fae23838ff5d156b
SHA1

773c0ba664625a4030af3b8ea321de5ee0e029c6
SHA256

fe9d78c0c394e248da57fc5693fe5cb0a759489c93ae300adef582f1069413c6
SHA512

d410f0196092ad17a00496a587cd135e610efd6af47091731be9040d9426e2d24641e5989dc753d4e9d7ba3f126f8f2ce467f006c303a659cfb8495c8c119fc2
SSDEEP

3072:4BAp5XhKpN4eOyVTGfhEClj8jTk+0hnbGsthRX1Tr+Cgw5CKHe:vbXE9OiTGfhEClq9uLhjyJJUe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2584	WScript.exe
5	2584	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\Uninstall.ini	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	RUSSKAYA-GOLAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2684	2240	RUSSKAYA-GOLAYA.exe	28
PID 2240 wrote to memory of 2684	2240	RUSSKAYA-GOLAYA.exe	28
PID 2240 wrote to memory of 2684	2240	RUSSKAYA-GOLAYA.exe	28
PID 2240 wrote to memory of 2684	2240	RUSSKAYA-GOLAYA.exe	28
PID 2684 wrote to memory of 2584	2684	cmd.exe	30
PID 2684 wrote to memory of 2584	2684	cmd.exe	30
PID 2684 wrote to memory of 2584	2684	cmd.exe	30
PID 2684 wrote to memory of 2584	2684	cmd.exe	30
PID 2240 wrote to memory of 2468	2240	RUSSKAYA-GOLAYA.exe	31
PID 2240 wrote to memory of 2468	2240	RUSSKAYA-GOLAYA.exe	31
PID 2240 wrote to memory of 2468	2240	RUSSKAYA-GOLAYA.exe	31
PID 2240 wrote to memory of 2468	2240	RUSSKAYA-GOLAYA.exe	31

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik

Filesize
216B

MD5
41ffde2af2fa5859ce6aa839370d6d91

SHA1
ea6b40dee843fb2da5426cca128e56f26517dc43

SHA256
8ccbd7ab5ea149cbe5e8f6c02a83a051cd3af1fcbf13e0b119f3493794dfbdf2

SHA512
27d0a6d918b0ecce88fe9e80e4f0a9f04a904693670325feb774120ee96384e525edbc4289e6bc6e394398a464474cb824ef7b2fa9b54ee5e2251551645bf74c

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat

Filesize
2KB

MD5
806ae060c82c3de9e0117b7291b6bb3a

SHA1
bc9050e4acf88ef35c53a4c2f6e0499d2fc1d896

SHA256
a221c4308650abbcc41949592e0898e2fca9e6c24811b11525fb32900aeeca30

SHA512
12093a2ae94f8c59df40eb1c18c3c4b739f8d9a1004f9bfc33c5b55cf8543d77037fdc45a417d06d86a13015e1153314e024dd83bb99cea73f1c0c947cc1a551

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs

Filesize
741B

MD5
1310ee3d115fa438b2ad8a90adb248ad

SHA1
60cda736223211876c5d69238f9ec364359c5902

SHA256
d10e7fde0640490062b98d3d53f1cb65dc02906e90a0b4cc8b698eccc6c51e7f

SHA512
a8b4af726190118147dcdf87081859c987af2e709944bc4dd0009f88d44d3bfe78978a4fdfd87d03bd6e7a65e14d2be8ab54eb715cb5aa850635da6f556422bb

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui

Filesize
69B

MD5
337fd7f482967d86c608e11f07a2f086

SHA1
a7a9e3801775eb02f879a769ad306de48b402852

SHA256
199c7e48807b60549ad9146503628763eb09542dedfabb74fd5aeb7a0d52cfd6

SHA512
a8f6c886eab8ce09a8c30be2461e34e1d6ac787658aa9454757ccd8f7f9f5df82a6d749a7d5d0b17dadfeb1b65a87d0a66e5d9b3b4bd0ba030735eb67ddbef7c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
44ccd2e0f82c735fbef30c341d6bfc10

SHA1
8cc305f7f8fff401380175ae0cc7d0df99b83373

SHA256
d29b19381fbf3494195232c63a36e6a9d38de4e2db3e80ae3f007a36e9674db3

SHA512
8627b9c13415f5d9c917692281f2a33aa4286f0a50b0d08933ca663cd6cc12fb17256a2270ff283dd497661001b6c06f3d16e889215821659fa24ede367dfe07

Download Submit
memory/2240-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing