97d2d749cf08d9b803c08ef30f18663ce4187a2aeffd19d6706922682b7357b5

General

Target

GOLAYA-BABE.exe
Size

239KB
MD5

22c9f0d7dfadf25b221bee4d6fe9c39f
SHA1

171e6a865624222ae347d828a2a415a243c05951
SHA256

bc604cfca1473eb7ceb590689348f5a840a6e9425319e9ef120a893390345c58
SHA512

352265ba2ced7b5a6c2ee82f4fbf4788bf20a840684e827c548792e814f191da6be20b820bc8eebd77cfd27880904018cdc8ee5a54893e7eedd27e1cd196eee1
SSDEEP

3072:kBAp5XhKpN4eOyVTGfhEClj8jTk+0hM3GRjDNOoCya+Cgw5CKH2:zbXE9OiTGfhEClq9EjQKJJU2

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1684	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\10101010101010101010101010100101010101011010.la	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.ggg	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs	cmd.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\10101010101010101010101010100101010101011010.la	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.ggg	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs	cmd.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs	cmd.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	GOLAYA-BABE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4148	2148	GOLAYA-BABE.exe	80
PID 2148 wrote to memory of 4148	2148	GOLAYA-BABE.exe	80
PID 2148 wrote to memory of 4148	2148	GOLAYA-BABE.exe	80
PID 2148 wrote to memory of 4444	2148	GOLAYA-BABE.exe	82
PID 2148 wrote to memory of 4444	2148	GOLAYA-BABE.exe	82
PID 2148 wrote to memory of 4444	2148	GOLAYA-BABE.exe	82
PID 2148 wrote to memory of 1684	2148	GOLAYA-BABE.exe	83
PID 2148 wrote to memory of 1684	2148	GOLAYA-BABE.exe	83
PID 2148 wrote to memory of 1684	2148	GOLAYA-BABE.exe	83

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:4148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.ggg

Filesize
686B

MD5
d959fc73cbdfe888fe9d92f5d96a6140

SHA1
484d236f19f66014fb800c008eed6f5434a9ad6f

SHA256
cfff978a5958648322a5ae44b919e9f34ea9b2c19c9b9a1b8a539753317634c5

SHA512
7d8fd1e5872e092d393b082c42d60748b45f5db1cada90c224c4676b98406006893b7b006192c63765668db88d4e41742a63e6596d7a155f8587ad9bbd68f7eb

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs

Filesize
686B

MD5
d959fc73cbdfe888fe9d92f5d96a6140

SHA1
484d236f19f66014fb800c008eed6f5434a9ad6f

SHA256
cfff978a5958648322a5ae44b919e9f34ea9b2c19c9b9a1b8a539753317634c5

SHA512
7d8fd1e5872e092d393b082c42d60748b45f5db1cada90c224c4676b98406006893b7b006192c63765668db88d4e41742a63e6596d7a155f8587ad9bbd68f7eb

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok

Filesize
120B

MD5
5f43cc09c2448d238b467d4902a01394

SHA1
4f82c81a46d1df708493004aa8552d4df2740e57

SHA256
24dafc098a82c1b30a66d05124610097ed4673a43121744eb35e9f578955ed6f

SHA512
05b571e6c6038ded7a360c35902405dbaa81007d2b4eca612975775c14abb61c9c54d2ab3a0fe5c3c0fdddfc212673c5a80bdb69211d1020c9acf79b1603f7c3

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat

Filesize
1KB

MD5
f93064f19531db417fd68204d328c172

SHA1
f4654036e710adfd0ed0e2db700dd0afc240bbed

SHA256
5e59abcbb4b0e40cab9b3332886b19fb4e2f1ab0a76bccefc4ebfd4b75671d38

SHA512
824bbae0d9ac9027c8fa899e37986714862d43aae322f67efe2ca941dac079dcf870a00b348f2f528f09217afbdbbbd5f079142c443fb14255b5afaf72a493b8

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog

Filesize
802B

MD5
f30058412160bfca6aca8e0873a70078

SHA1
3e3b56550820ec9f09fb0d7597812e893eace581

SHA256
49a8eb873fef0d5167437d56551a993edae7384707e311ac70e6dcc67387ea95

SHA512
3d8cb7a004021bb9e85e10430b9976eb17b1019a137eabae6537d29139a62071aa662791b71ab1de2444000fc2139778f8ef89edf71f87d295626971aa2cc522

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs

Filesize
802B

MD5
f30058412160bfca6aca8e0873a70078

SHA1
3e3b56550820ec9f09fb0d7597812e893eace581

SHA256
49a8eb873fef0d5167437d56551a993edae7384707e311ac70e6dcc67387ea95

SHA512
3d8cb7a004021bb9e85e10430b9976eb17b1019a137eabae6537d29139a62071aa662791b71ab1de2444000fc2139778f8ef89edf71f87d295626971aa2cc522

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e756b71be76cd80a2dc3ae04deb9a309

SHA1
7cc93e6c927aa0bd1c83e5696e6195562ed27525

SHA256
4751e738816cbeae753aff68419fefd0817d6969b60db28b94d3de743abc20e7

SHA512
8db0b9f09ad3e16c1eddc900d0c75fdf447044fdaceefc44e778bc38dc62289fd0e134dd40453f0b9911a14c423cb92c3b6ef28bc16a66cd3aaa7ddab9b3a1a5

Download Submit

Analysis

Sharing