4033b010384e049ded38d8296dd0d2154c98e17ec9794cbdd395a180eb1b9833

General

Target

PHOTO-DEVOCHKA.exe
Size

210KB
MD5

d1722d67467ef0a202fcde44c6e049bc
SHA1

2649b8d669784c0ac03e3176c71a2da1e447071e
SHA256

407f4570228efe8ac661a2b85344ede4769b3a5483e51bb56d69dd3915dcdb44
SHA512

1f46a37f436f8d1e0ed820bf5bc85f5d7d7d06d79e786687f420d38ae9e9a56b09d1e75bc5e8154840d8524308ac83e7a085e9ac188bf11e5ef92bf0c1caaf1e
SSDEEP

3072:EBAp5XhKpN4eOyVTGfhEClj8jTk+0h8xwNh/7+Cgw5CKHG:TbXE9OiTGfhEClq9hwaJJUG

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2420	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	PHOTO-DEVOCHKA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.ini	PHOTO-DEVOCHKA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PHOTO-DEVOCHKA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	PHOTO-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5968 wrote to memory of 5680	5968	PHOTO-DEVOCHKA.exe	86
PID 5968 wrote to memory of 5680	5968	PHOTO-DEVOCHKA.exe	86
PID 5968 wrote to memory of 5680	5968	PHOTO-DEVOCHKA.exe	86
PID 5968 wrote to memory of 2420	5968	PHOTO-DEVOCHKA.exe	89
PID 5968 wrote to memory of 2420	5968	PHOTO-DEVOCHKA.exe	89
PID 5968 wrote to memory of 2420	5968	PHOTO-DEVOCHKA.exe	89

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat

Filesize
1KB

MD5
82c60765a1e5e0ef2d2c29eb8bf3e6b0

SHA1
5ef9ff613a9dabbcab41e454084b116f7c85de52

SHA256
00baf9d143235cc9c090112550f9750c0e79f66b344bc3c58c9ae580bbc2b6d9

SHA512
f488af4413c0069e1903b36f27005fd604aa0f3ade643deec716eac0f267d38f744a27cf5a68f524d1e8a5c96b98e25f05b40d3689bab0db2a14c4119624ebaa

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs

Filesize
1KB

MD5
7505754cc0b85044f77f4014c09f020d

SHA1
385c2511f5bef05b5c06f7b292004117bf23567e

SHA256
6121221673ec716cc96ff3253936b5e4d8c4afc4ab2e054202dae363d6c044ef

SHA512
9d1df45e90c8ca3f4c738a7c0c76d09173fe9cdc693114bfa758251646915f27be30ed582d1fbad89399b8a88299cb01331848b4e04d430e3e375af6f9d1e5a2

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro

Filesize
87B

MD5
2048e7f377827684952eac6638737664

SHA1
177f0e8e28f88204df60059d64c6ec3bc108a673

SHA256
e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

SHA512
624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0d13ead42a57df87654479ff41c28491

SHA1
b869515352ee31a359e594a5f15169979cb79039

SHA256
64970eaf03cd8dcf35000c5c93589ee9e834e3ec997b065616cfbc14e7b1a046

SHA512
33d9e1846c1c8c7d5ce9e645e8fe9ccc138db52971bb12942a6c374617ea218e5203196069940565cfb6a8ad851b32c26779458254958e68c07715fdfcf8750a

Download Submit
memory/5968-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5968-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing