bd764702c81df2242ff3065966d923b9aa27de05db3cc31a6fffe0b99212df17

General

Target

GOLAYA-RUSSKAYA.exe
Size

239KB
MD5

2b39981352a5356af3c6ef0f147e38d0
SHA1

06d295b726af54cfa5fff54884a775349e089e77
SHA256

f79f92660dffba6030e27b31734b990fdf1c3ac84805cd0757a889e4909cbd3a
SHA512

1a28c51973a67d62f0e12ee51445fce6f5c830c10da70323daa5ce3568600a0fa59e9f188b154250af6c933f8e748cfc5932d757baa8056ab340a0ad43a1ff1d
SSDEEP

3072:JBAp5XhKpN4eOyVTGfhEClj8jTk+0hqIgMKTNRfE+Cgw5CKHK:MbXE9OiTGfhEClq9nlNPJJUK

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2484	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GOLAYA-RUSSKAYA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.ini	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	GOLAYA-RUSSKAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	GOLAYA-RUSSKAYA.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 2248	4984	GOLAYA-RUSSKAYA.exe	80
PID 4984 wrote to memory of 2248	4984	GOLAYA-RUSSKAYA.exe	80
PID 4984 wrote to memory of 2248	4984	GOLAYA-RUSSKAYA.exe	80
PID 4984 wrote to memory of 2484	4984	GOLAYA-RUSSKAYA.exe	82
PID 4984 wrote to memory of 2484	4984	GOLAYA-RUSSKAYA.exe	82
PID 4984 wrote to memory of 2484	4984	GOLAYA-RUSSKAYA.exe	82

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat

Filesize
1KB

MD5
9035b833c805a3c4cd6d9d5f12518415

SHA1
fc703a4a33f2e87cdca3653fe283c724b6bf2e88

SHA256
580c52daabc37afbfa437934bfe0459147acd387ad55e4a2435d984c98a9ee3c

SHA512
aab62152a9da71399498f10ffb8f8a7d69bb2a0125f6c2377ee5973c3a3a5d1eb6952790ec44ca94f3f14c92eb5cf3a86a9ad6001b445bd2f1ea36a38149de40

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua

Filesize
1KB

MD5
70f82479add509725394fab75b5507c3

SHA1
3eed208a455295f19df8aafe74fc69980d283281

SHA256
305e34e742e111ae36b2f9dfe36e7461a392f4672efce52767b117fa98a37c3b

SHA512
59b2d8c62f659b1ab4757b200c787a1ef237c76bac1d21538ec77f38c55b0f04a6a59cb1e88ce4f27d740fabdc4ec0672d31be978bf5ef1e826ba730e30f9b9b

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs

Filesize
1KB

MD5
70f82479add509725394fab75b5507c3

SHA1
3eed208a455295f19df8aafe74fc69980d283281

SHA256
305e34e742e111ae36b2f9dfe36e7461a392f4672efce52767b117fa98a37c3b

SHA512
59b2d8c62f659b1ab4757b200c787a1ef237c76bac1d21538ec77f38c55b0f04a6a59cb1e88ce4f27d740fabdc4ec0672d31be978bf5ef1e826ba730e30f9b9b

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro

Filesize
106B

MD5
74305d205702e48e96da6265224b456f

SHA1
387686c3598b5d9bb084f1597aeb3c1687b8b001

SHA256
afc5e57f3536cc17c46c377efe3746f80079b1917597bb3430298ddb570a3faf

SHA512
67fb29190052df27d2a5166a9de5233b64037aac5d00cb31c986850bfcb91f6df8927aa76140dcb126cd8f82eb8dc6c5aaef87816ec5505f176ff62286fafdf0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
5debf8d264bf3c994a0abde203739bcb

SHA1
3417c867304e82d6f732cd0215b5a4bf9252b7fd

SHA256
2c65822d290993a0c02e23254594809bb7cd5022d4235f374b569fb4817c7cc0

SHA512
a18882be9ef725748dda3a7e402ae1acbf7239329f326637a4f06e7ab96deaf9a8622efb39bffde82ae0485054030161264a95d034b838d123beb0eee480f45e

Download Submit

Analysis

Sharing