f76f106be9432e5b9f83a92361d55cf2f889ea8655a48ebcc858f3567481cdaf

General

Target

RUSSKAYA-GOLAYA.exe
Size

180KB
MD5

3e080ab7ed40be06a0da9f17c44bd6ec
SHA1

8f4dd15b0cb7fefa1d5f64e5dfb786a7a1dc05f8
SHA256

b569cbf09e89d5a87e21892099a4f6e76dcaad568af02793fa3149fc6e5e461b
SHA512

7e3b54939793fa1554759d8c8ac93696fe1c8fa5ff0423457ba2cced679ff13a800d5f3cff6ec8e71cc504e910b2766b486b98b47575c6abb83d6ef885d03fed
SSDEEP

3072:vBAp5XhKpN4eOyVTGfhEClj8jTk+0hgVL8ON:ybXE9OiTGfhEClq9zJ

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1660	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RUSSKAYA-GOLAYA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud	RUSSKAYA-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat	RUSSKAYA-GOLAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUSSKAYA-GOLAYA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RUSSKAYA-GOLAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1776	2700	RUSSKAYA-GOLAYA.exe	84
PID 2700 wrote to memory of 1776	2700	RUSSKAYA-GOLAYA.exe	84
PID 2700 wrote to memory of 1776	2700	RUSSKAYA-GOLAYA.exe	84
PID 2700 wrote to memory of 2272	2700	RUSSKAYA-GOLAYA.exe	86
PID 2700 wrote to memory of 2272	2700	RUSSKAYA-GOLAYA.exe	86
PID 2700 wrote to memory of 2272	2700	RUSSKAYA-GOLAYA.exe	86
PID 2700 wrote to memory of 1660	2700	RUSSKAYA-GOLAYA.exe	87
PID 2700 wrote to memory of 1660	2700	RUSSKAYA-GOLAYA.exe	87
PID 2700 wrote to memory of 1660	2700	RUSSKAYA-GOLAYA.exe	87

C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs"
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
d063d8d1f53c0c03daa40cd5f6e3509a

SHA1
5d41ee0d3bb8c2c74c654d003067a2927fd975ed

SHA256
466751d83fe2708bbf4e75135293a8cd57e6ad7de029d400f738e2ff2e5c9403

SHA512
5b52f89a863e7c771f0df6e9495bc87bac356bea519a3db26b51ba6fa4b109b1a41ac8cf2af8f5d4edb0e030479cc3b9a60e8ae08ad4619dff09fbdced3ef9b2

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs

Filesize
909B

MD5
5cd30692f17b61420aa98c427810f70e

SHA1
e17d83df32233a59fd86e83ffdc0729b9144bd07

SHA256
37eba2a860d9e6b99bbcd05be3d7942efb165e2fe3d9448d904c8160804d9a8e

SHA512
2d860f5c8dac6425cb36e098cadef58d3b536b00ccb138d5ead10288814b4a9fceac57b5b312178fd793e0b61a1c2237b3c5b222b37a58d40330ef42aa6318b6

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs

Filesize
656B

MD5
7f894b391586389088bb129089160402

SHA1
4d23e47474f49013c608cb3d4f2d5f981e29b90d

SHA256
1c45959c14908a0cc7dbe1ac8c75e49824a6872686af4d6fc780672d56d8cc78

SHA512
104fa4b46ec303db099d82e558ec35328763d0af3e54a66d239d1382961f2b782bea4cddd48ff678e0e56de3e5ede8c1c468f1b45bdbdd1187a0128e85f80e47

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c0805e6fff9d30c65b91bc9284beac8e

SHA1
45456e27d6632159ed7e4403caa1a16721c3b603

SHA256
53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

SHA512
34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

Download Submit
memory/2700-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing