3878a7464e08ecfc6bb6f4db956786d68d0f3d06d1fef5f5cb441485357ebd4b

General

Target

GOLAYA-SEXY.exe
Size

239KB
MD5

f23513128b673710c059337eba0de66a
SHA1

dd6291b4b24c0c77e1febf49e8af02069c6e6e2c
SHA256

73460a4c0a23af9ac5f2cc1297a4fd0ec9e24ccdabe4fa2158be72065307bddd
SHA512

339395308b78db51dd1090921d611768d90724cf0a89b8104e868f77afe42eb3e31a7ea177f6eb33ccc400beea9488ef6b4ec8ea1efc5a873890a55321240edd
SSDEEP

3072:+BAp5XhKpN4eOyVTGfhEClj8jTk+0heklmPpp+Cgw5CKHq:VbXE9OiTGfhEClq9FkHJJUq

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	1412	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GOLAYA-SEXY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.ini	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs	cmd.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\lethala fell blowsinisterby somefell.chanc	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.exe	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs	cmd.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\lethala fell blowsinisterby somefell.chanc	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.exe	GOLAYA-SEXY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	GOLAYA-SEXY.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 628	1564	GOLAYA-SEXY.exe	78
PID 1564 wrote to memory of 628	1564	GOLAYA-SEXY.exe	78
PID 1564 wrote to memory of 628	1564	GOLAYA-SEXY.exe	78
PID 1564 wrote to memory of 1412	1564	GOLAYA-SEXY.exe	80
PID 1564 wrote to memory of 1412	1564	GOLAYA-SEXY.exe	80
PID 1564 wrote to memory of 1412	1564	GOLAYA-SEXY.exe	80

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking

Filesize
1KB

MD5
b1d81d8267e7d0333ec477248bcf369c

SHA1
5ab5d3d7566d12c2048edd07818b491aec473e05

SHA256
0abe58bcbfd6a137bca3b63db723dd29ff5eeeef4d9303ee00496d7a01239259

SHA512
91080b33b4602bb28bed4d748de0bac3f174a436d033a36bd6ae4e3f8f5ef105b71b5e8a9fa63226d57a555894dc581082db9baf6c266126658cb48ddd4ee161

Download Submit
C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs

Filesize
1KB

MD5
b1d81d8267e7d0333ec477248bcf369c

SHA1
5ab5d3d7566d12c2048edd07818b491aec473e05

SHA256
0abe58bcbfd6a137bca3b63db723dd29ff5eeeef4d9303ee00496d7a01239259

SHA512
91080b33b4602bb28bed4d748de0bac3f174a436d033a36bd6ae4e3f8f5ef105b71b5e8a9fa63226d57a555894dc581082db9baf6c266126658cb48ddd4ee161

Download Submit
C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol

Filesize
112B

MD5
a97805a7dcdf57804ebce37d2599a681

SHA1
99cfacb04b6bbe087d6c46e3d920ba9ab0a4f056

SHA256
0c6fa09a4144b4313cd2a859b98b622f836c1ea311d84aca4dcd25f706d35039

SHA512
dca01920001d10435669e51f2ba65159e9997bc0e4a3f12e0b52b66061e402194d01ac8cfd74c53499cdf59aa9f6adf3fa0e5e73b6ef1d4c0e8a5bc9955ab1c9

Download Submit
C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat

Filesize
1KB

MD5
67d00854aff023c30b4619091284d359

SHA1
6bbac100a50f2191096dc1de03ec42191bfa5d43

SHA256
36913eef440b4110bf1d8f23203715d2aecbd822b06449a43513b40cbc5cd364

SHA512
eb3beb9c6db5632f951556999562591b92b3e6a73033a6bf9cecd1b83bec7c93b73c4a80f2af8947baa2939a6a5ebb4bd5fbf393a94bbdca44231d8162943a89

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
a1d6c52a1e0916a81ea593afbdb6e4a2

SHA1
246d651e3d483e5dacabd834e7e315970c80be67

SHA256
e6ae347b3530743eafc0979d3376e5c699681dc67907c60796eae0fc19eb16f3

SHA512
16e91c576be81a8a2fc69bafddf07b8792521686db8c9824efab112c82f94ed7e142c0274d907193b1d2c774cd79a13dda3a80b363b469afd161c166bb6da8b6

Download Submit

Analysis

Sharing