Overview

overview

8

Static

static

GOLAYA-DEVOCHKA.exe

windows7-x64

8

GOLAYA-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    83s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-DEVOCHKA.exe

  • Size

    149KB

  • MD5

    f017add0319b24def517032c3b93b06f

  • SHA1

    69aa7ec014e3cab55ef2f4df20e70d6856e76927

  • SHA256

    1fccd0adbb781ba2f3c9dd5340069470ea79410cb57d8d206b29dd011dd5e46e

  • SHA512

    9cc4a05e4b253f3f285154b82fc8945a1e00a3607feacbd20973480732a6fed210987ce42e32d24f74d582775f1ca045774054f3e4aae5c7b9ca5d41e2950d9c

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiY9ruInWRewlt:AbXE9OiTGfhEClq98PWRewlt

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Company\NewProduct\koollapsa.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\al99999.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:3596
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\all2.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\al99999.pp
    Filesize

    243B

    MD5

    23ef2c7e99fa7dea7ec005939ef9fda2

    SHA1

    7e283eb07d4c16c6d156b2eeeae96e02c432f7b7

    SHA256

    a542c80852ffe78e295d49720db744b464649f7ae4f7d8f8b9bd73b5fb085cf8

    SHA512

    55d41334eb10032d05bdfe0789ad0654630b8db0a31adeec10ba6ee881d0ecc95d023d1414a7b82fa1a03e9b6703ac5999439c909bd1193e30b62d28dc3359a5

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\al99999.vbs
    Filesize

    243B

    MD5

    23ef2c7e99fa7dea7ec005939ef9fda2

    SHA1

    7e283eb07d4c16c6d156b2eeeae96e02c432f7b7

    SHA256

    a542c80852ffe78e295d49720db744b464649f7ae4f7d8f8b9bd73b5fb085cf8

    SHA512

    55d41334eb10032d05bdfe0789ad0654630b8db0a31adeec10ba6ee881d0ecc95d023d1414a7b82fa1a03e9b6703ac5999439c909bd1193e30b62d28dc3359a5

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\all2.vbs
    Filesize

    722B

    MD5

    d8bde056ff79ebdf405042460d71f823

    SHA1

    798dcc1ab1fa00dfa622daffd32d9c93c5bb68e9

    SHA256

    9cd6ea229816f42d86f0fc4373d4db66b9fb863957c0d6ff185b5537f6f9416a

    SHA512

    657cfd8ff737fe7a203b4f7b1e1d47569ee2ba0aaf306a8eceec8fc83e773662f85a02ae250fe34386675ee766287129da471a66131f3ffe8b29f0cdf98feee8

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\hhhh.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\koollapsa.bat
    Filesize

    2KB

    MD5

    4bef9ea6d5abdcf2238181e5e99a00a3

    SHA1

    9f56b3419ffc31be534965dccebc7e17cff86209

    SHA256

    2b34b1d6a58969a6a952fb79af1ff1462507cd4c377c610b19f29803c93c724b

    SHA512

    c020899846cc8d2977d886df8d369686087bf9b7db5e2e2897506a3d8f23179642b73852a46a824f9fa2fdb87f98a5c41f488d1041df7310779dd0158ee47cec

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\slonik.po
    Filesize

    52B

    MD5

    338036b941523ede7d75fb976b9fae0d

    SHA1

    9c9811337a6aeb90330d3c63de45d5f083b1f4e5

    SHA256

    2b372c716cacdac185842371da59c1899660584647c627961ff86cf75dcdcce1

    SHA512

    c028e06623ec1be9f3d139952cb386b40031fb0b744f88917df6d1a8cc08d0234f38fd90b23c23d5b657ab0143265ab7d1025d102ea402f3ccb746623c635f5e

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    0021c993f6e270022b22a1f77f6797c1

    SHA1

    8f0081a7735307c166ec3a995716dd5306723410

    SHA256

    47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

    SHA512

    d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

    Download Submit