24b57f7b9cae4960689bfbcbea2cddc02f9e59d4e5c30e444fe7438d37042872

General

Target

GOLAYA-SEXY.exe
Size

239KB
MD5

d141270ed4ca25be1fd7cd61f1d91f1a
SHA1

b5860a78425caa29e00f575de4bcf8dc3314e966
SHA256

eeb248baee68277a58652fa4a8a5c55357027be32389f6fd01c73bc4c3a1b8fd
SHA512

510814a7ad4416d39372f347b774cb7170900a7fc6e7eb07f84212f861a586b406964f3599bd3533a9884c891fc75335eb7daaa562fe1e60ef2f3b7a7f85b110
SSDEEP

6144:dbXE9OiTGfhEClq9npor2Iw7Wuq1IOlWJJUK:NU9XiuiSoTlc

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	944	WScript.exe
5	944	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\Uninstall.ini	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-SEXY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1900	1608	GOLAYA-SEXY.exe	26
PID 1608 wrote to memory of 1900	1608	GOLAYA-SEXY.exe	26
PID 1608 wrote to memory of 1900	1608	GOLAYA-SEXY.exe	26
PID 1608 wrote to memory of 1900	1608	GOLAYA-SEXY.exe	26
PID 1900 wrote to memory of 944	1900	cmd.exe	28
PID 1900 wrote to memory of 944	1900	cmd.exe	28
PID 1900 wrote to memory of 944	1900	cmd.exe	28
PID 1900 wrote to memory of 944	1900	cmd.exe	28
PID 1608 wrote to memory of 1944	1608	GOLAYA-SEXY.exe	29
PID 1608 wrote to memory of 1944	1608	GOLAYA-SEXY.exe	29
PID 1608 wrote to memory of 1944	1608	GOLAYA-SEXY.exe	29
PID 1608 wrote to memory of 1944	1608	GOLAYA-SEXY.exe	29

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik

Filesize
258B

MD5
4f13c561e8c1a666e912afefd7cf758d

SHA1
9cfd5e512bbc2be7ed670f85a731d97a83c71077

SHA256
ebb4b61362f29913fab27388fbd70963155333eee1cb4e94110730c82d4eab40

SHA512
e7395661df1e81db2575900162112020dd5b6e82debb1e9c419c4399bab92d1ddbb50d0f33f9df54716c7c9398e86013cdfac82f4c2ed0e7e756f068679f3d54

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs

Filesize
258B

MD5
4f13c561e8c1a666e912afefd7cf758d

SHA1
9cfd5e512bbc2be7ed670f85a731d97a83c71077

SHA256
ebb4b61362f29913fab27388fbd70963155333eee1cb4e94110730c82d4eab40

SHA512
e7395661df1e81db2575900162112020dd5b6e82debb1e9c419c4399bab92d1ddbb50d0f33f9df54716c7c9398e86013cdfac82f4c2ed0e7e756f068679f3d54

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat

Filesize
2KB

MD5
8e4cd8a7063f4201664b9e3118aab994

SHA1
d7a1f5b5248fd7ecad26c92f1cf12ae5e7fc1d59

SHA256
be7aabfc7c5cd64d6d5b2d0ca973809290f9f829959a2858bfec2c2d943a8f31

SHA512
9ab618876d2aa8275a321f281e46777d7882de6737bdd22fd55991a024f920b9b691df84e7d5c1d0dcf31e514d216d8251b457628103009927b5460c5e754cf6

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs

Filesize
697B

MD5
8b8766e88c5be7e0313dfd7b0805f1e5

SHA1
762adb329dec6ab328aa9b8d103845454a728952

SHA256
5e2af02f511518cf584407fa7aace6c56670941f4e8aa96ff6f010a21202e29a

SHA512
952010a4bcea053e341a956bfd3bb45078993dcc521932b2eee98354e3457017f09213dfc463ab6b34bc1d5b2321e2ec78b63359bb49affff45bd6671f2a5753

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui

Filesize
55B

MD5
eebc9086a079af7f6d895c462a250982

SHA1
413f00b078361100962d5b048eee0f3c86c27fcd

SHA256
761b89d1fd5256fb7bf7fd12ad675776de419ad419c1e5e211ad4784eff80d44

SHA512
bfa9e27ea406a7f101badb7e65fb9ffa2ead70d8ef217206184c49385160f7536ae745b66e00e3ee4f549876b689c787c8857614e93b6e096c5ef25d4e68e801

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit
memory/944-60-0x0000000000000000-mapping.dmp

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1900-55-0x0000000000000000-mapping.dmp

Download
memory/1944-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing