48c1277333e36063b2a3b3182a6c6b4d798add9adc84f5307229ef3baaf7799d

General

Target

GOLAYA-SEXY.exe
Size

238KB
MD5

466171c86c39f1266019f1386b78ad45
SHA1

cf50984c43232cffb00e181597be92b5a118c65e
SHA256

af2f6bc331ddbf6401b342e21947f949a92143d7f8dea3e6a1dcefca18bcefb2
SHA512

162f43193b6e387ae9bbe77b099d62ad473f47b7dbfddb8e94fe75b3b7003035dadd9bb2e7069e8009eba74a6206784f54999f29ff5ea5a7463b086382018b4b
SSDEEP

3072:QBAp5XhKpN4eOyVTGfhEClj8jTk+0h5TlWnC+Cgw5CKHG:HbXE9OiTGfhEClq9IlWzJJUG

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	936	WScript.exe
4	936	WScript.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs	cmd.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.klm	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.klm	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\Uninstall.ini	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1948	832	GOLAYA-SEXY.exe	27
PID 832 wrote to memory of 1948	832	GOLAYA-SEXY.exe	27
PID 832 wrote to memory of 1948	832	GOLAYA-SEXY.exe	27
PID 832 wrote to memory of 1948	832	GOLAYA-SEXY.exe	27
PID 832 wrote to memory of 936	832	GOLAYA-SEXY.exe	29
PID 832 wrote to memory of 936	832	GOLAYA-SEXY.exe	29
PID 832 wrote to memory of 936	832	GOLAYA-SEXY.exe	29
PID 832 wrote to memory of 936	832	GOLAYA-SEXY.exe	29

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat

Filesize
1KB

MD5
ef09b0975dd3055e115040da125bf1e7

SHA1
c4653bad1b4bfd34ffeab5182fb16e244f8c35c4

SHA256
6a8031866aa29518659e04ccef03708ba654afada75b03406c52bebaadefe3ec

SHA512
b69ddaa597c4f4877f1d53d83aa950f9aaf6dba1643be2a45a3cb3eb9d1b66e777ca28b88feb7ae401c0410c00da0acb0ad5634ecfa9af6f3ffe2633a4cd70d4

Download Submit
C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.klm

Filesize
1KB

MD5
5ce6512909ac7bcb0c544a6d9879e853

SHA1
10e2a2145c3e65fe24159645314e4809bd2f3edd

SHA256
5e1089b403c748c7697968bda25367aada5a3281ddfd7d3f18747c338a03aa30

SHA512
515f66fc03f1d28e044ee5abdfaca33f8d12b7db10e6b1000c88b0ccd1ccc771aa53b6c8e4848b1a9649c6ec266c6d7f181dd5ab49d33e31c650d644a8d24e95

Download Submit
C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs

Filesize
1KB

MD5
5ce6512909ac7bcb0c544a6d9879e853

SHA1
10e2a2145c3e65fe24159645314e4809bd2f3edd

SHA256
5e1089b403c748c7697968bda25367aada5a3281ddfd7d3f18747c338a03aa30

SHA512
515f66fc03f1d28e044ee5abdfaca33f8d12b7db10e6b1000c88b0ccd1ccc771aa53b6c8e4848b1a9649c6ec266c6d7f181dd5ab49d33e31c650d644a8d24e95

Download Submit
C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff

Filesize
87B

MD5
2048e7f377827684952eac6638737664

SHA1
177f0e8e28f88204df60059d64c6ec3bc108a673

SHA256
e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

SHA512
624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

Download Submit
memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing