2631d07fecf0e7853527d778298b34b71a66dbe80cb2021d6b7ea1cce161bfa6

General

Target

GOLAYA-PHOTO.exe
Size

149KB
MD5

977c93c6bc8681e1c6f4957be7346fb3
SHA1

d6dd40443ab855f7723163573a99d2073f3e5ab7
SHA256

49ad394c9e66be0dbdbb2f39ae0dec9d73524c5adcfa0b2ab42a5c9f021c860a
SHA512

43a35a1cd5b232c1c905c0d99b837cd0cb62da18fd2f347ca19ca93ae0a0f00156f16ae105e4f26190008d791535d76960c3c5e7b3090316c33a9364147e4158
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hizJREUzffMe:AbXE9OiTGfhEClq9XKUbMe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1636	WScript.exe
5	1636	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\all2.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\Company\NewProduct\al99999.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\al99999.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\hhhh.txt	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\koollapsa.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\slonik.po	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\al99999.pp	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1324	1228	GOLAYA-PHOTO.exe	27
PID 1228 wrote to memory of 1324	1228	GOLAYA-PHOTO.exe	27
PID 1228 wrote to memory of 1324	1228	GOLAYA-PHOTO.exe	27
PID 1228 wrote to memory of 1324	1228	GOLAYA-PHOTO.exe	27
PID 1324 wrote to memory of 1636	1324	cmd.exe	29
PID 1324 wrote to memory of 1636	1324	cmd.exe	29
PID 1324 wrote to memory of 1636	1324	cmd.exe	29
PID 1324 wrote to memory of 1636	1324	cmd.exe	29
PID 1228 wrote to memory of 760	1228	GOLAYA-PHOTO.exe	30
PID 1228 wrote to memory of 760	1228	GOLAYA-PHOTO.exe	30
PID 1228 wrote to memory of 760	1228	GOLAYA-PHOTO.exe	30
PID 1228 wrote to memory of 760	1228	GOLAYA-PHOTO.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Company\NewProduct\koollapsa.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\al99999.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\all2.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\al99999.pp

Filesize
294B

MD5
21af4fa5ba98e52f2ff9495e2d5647bf

SHA1
8392c3193b01dc4e053d475ef2596a9b9775c5a6

SHA256
979b8df7b94d49e3a802d52ae9b6df38f1791dce642bf841ac22969e30b779ea

SHA512
3a07d55c4f9b35f040940d3fe4f7f7880d16547a656dc2aff61f8d0c64d8d9f3e590e561e3a395129a698a3dd20706849cf712ba8a4e9e9a72a0b40ec4c021c9

Download Submit
C:\Program Files (x86)\Company\NewProduct\al99999.vbs

Filesize
294B

MD5
21af4fa5ba98e52f2ff9495e2d5647bf

SHA1
8392c3193b01dc4e053d475ef2596a9b9775c5a6

SHA256
979b8df7b94d49e3a802d52ae9b6df38f1791dce642bf841ac22969e30b779ea

SHA512
3a07d55c4f9b35f040940d3fe4f7f7880d16547a656dc2aff61f8d0c64d8d9f3e590e561e3a395129a698a3dd20706849cf712ba8a4e9e9a72a0b40ec4c021c9

Download Submit
C:\Program Files (x86)\Company\NewProduct\all2.vbs

Filesize
733B

MD5
0c80a1dab2a6801400f9e72fdf651252

SHA1
a66e1ba75450e78529bdeba40a202dfb70eb1276

SHA256
7ba92c76d5e79a43a01d5c8a1b02a2d9328cc4f6ac4a1dd929e09c2fc18e090e

SHA512
4236548a6f020b8335af454868380e2194da0e2eb95913cf4ef5a436a2f51292d0090cc71497ed2627aed104026aa95d6358d809654afa250d2d1425358d3f16

Download Submit
C:\Program Files (x86)\Company\NewProduct\hhhh.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Company\NewProduct\koollapsa.bat

Filesize
3KB

MD5
fa686645bd1910d87cdc478fdf11d066

SHA1
401b0b4768bccd1e785a5286b5d92827ab0880c3

SHA256
5d917486a81cc816300b1b0e487b44f8ba35172c57d5f778d4dac5f074862f1e

SHA512
26daf27c886da0d06df964dcc8481524a78418c94c34e7f413f66cf89d2b46b6a909e22becde1ecbfe3bcdaf70219ce282cbe7d22d269fbb1a3674d28f8e1485

Download Submit
C:\Program Files (x86)\Company\NewProduct\slonik.po

Filesize
43B

MD5
6811d60b26c0f3afa90c74e7d2dc885d

SHA1
a55a22025fef0bfb40c41b7c7f48baa4c697a0b4

SHA256
e079758f26c22b4a3686b5e935c5b331141944bd60d1817bd5f7888cf1d0c936

SHA512
098a653cbdf78315286541e3ab123d0df5c232faf08f0d765f3124069519fe98aa059e867d281afe323dbda0cc112ea1803b626a1b9912817856da6f6d936889

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit
memory/760-61-0x0000000000000000-mapping.dmp

Download
memory/1228-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1324-55-0x0000000000000000-mapping.dmp

Download
memory/1636-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing