Overview

overview

8

Static

static

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    87s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    181KB

  • MD5

    fa74fb27d2cd5d0ebfce9d301c3ef918

  • SHA1

    610c05cf48359612b4e766a409cfcb5d56d43bf6

  • SHA256

    d607b0c6c9e1e2d323ae1c598f31c440b5d972878614bfa8ae4786bd8834ce1d

  • SHA512

    df9e3b4b8d5cc65462d329422ff260ddea1a0c73a38d94059387aabfd1b31919ab47aee369150192ebb6edaff10c478d316d583039f74d655cfda152848883fb

  • SSDEEP

    3072:NBAp5XhKpN4eOyVTGfhEClj8jTk+0hfAWFmEeQqqqqqqqqoX:IbXE9OiTGfhEClq9K9Q

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Company\Product\bartalamey_jeq_simpsonq.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:4492
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\Product\ne_nu_ne_zraza_li.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops file in Drivers directory
      PID:3692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\Product\bartalamey_jeq_simpsonq.bat
    Filesize

    861B

    MD5

    b8a81101bc678eddc37a4470b08d0e47

    SHA1

    cdb766a387334057f80719b2ef5efd82abac733c

    SHA256

    a82943452fb0ec00445c4db9e7617106e9c19b7ec4ef24eccd0d72f5c43fe9a7

    SHA512

    704555bb4836b7205b2ff80b6d939541cea0a1624f86cab472b7d3010128c218a78a94bdf11e52e773589e6b3e7bd1c67d8274cc1a66335503383f2d994acaa3

    Download Submit

  • C:\Program Files (x86)\Company\Product\ne_nu_ne_zraza_li.klm
    Filesize

    1KB

    MD5

    7ac3823419ec56885bf212624b38c84d

    SHA1

    56f03e4660e896655536f23915dfbebf6f0440ed

    SHA256

    19a799743f2410db404190abf056f069659a2b28edc3f0855870e05a67e30a88

    SHA512

    ee39dfd4fe18b7131a9f89b3f529370f3c2d3f0b7c551060170c9ea4b4725fc15d074d4f94705d288f36aef6fc8c5d4aeae9066a1f5e1a42a1e85b8f81b4701c

    Download Submit

  • C:\Program Files (x86)\Company\Product\ne_nu_ne_zraza_li.vbs
    Filesize

    1KB

    MD5

    7ac3823419ec56885bf212624b38c84d

    SHA1

    56f03e4660e896655536f23915dfbebf6f0440ed

    SHA256

    19a799743f2410db404190abf056f069659a2b28edc3f0855870e05a67e30a88

    SHA512

    ee39dfd4fe18b7131a9f89b3f529370f3c2d3f0b7c551060170c9ea4b4725fc15d074d4f94705d288f36aef6fc8c5d4aeae9066a1f5e1a42a1e85b8f81b4701c

    Download Submit

  • C:\Program Files (x86)\Company\Product\polkanapolke.shv
    Filesize

    87B

    MD5

    2048e7f377827684952eac6638737664

    SHA1

    177f0e8e28f88204df60059d64c6ec3bc108a673

    SHA256

    e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

    SHA512

    624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

    Download Submit

  • memory/3692-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4492-132-0x0000000000000000-mapping.dmp

    Download