0a785b4dbce9250f1b24549e13ced6392fdfd7dc1bca535f1f8194538aa3dae2

General

Target

GOLAYA-TOPLESS.exe
Size

149KB
MD5

ccca394b1369e766c53346550b481c57
SHA1

47dccd3fc9b7bf7c98f75fa11725089d5a977b4c
SHA256

211901e1229d7b816754146ff8d7167e8a92211afe63dc44eb8056d0b054a12a
SHA512

98625c9dd7cc8b57609ce20f6f295dc8704a75b49cde806ddbbb040cf3832028425bed0cd0da0c501508fabd2cdc59cd1717fa948362281848ed4ba798990712
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hisUwxgTpLnNq:AbXE9OiTGfhEClq9TwxgJn0

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1284	WScript.exe
4	1284	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\salst\ogurets\122.txt	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\all3.vbs	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\salst\ogurets\Uninstall.ini	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\polenolll.pof	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\lit.vbs	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\Uninstall.exe	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\podkati.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\stuckja.jol	GOLAYA-TOPLESS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 940	1600	GOLAYA-TOPLESS.exe	27
PID 1600 wrote to memory of 940	1600	GOLAYA-TOPLESS.exe	27
PID 1600 wrote to memory of 940	1600	GOLAYA-TOPLESS.exe	27
PID 1600 wrote to memory of 940	1600	GOLAYA-TOPLESS.exe	27
PID 940 wrote to memory of 1284	940	cmd.exe	29
PID 940 wrote to memory of 1284	940	cmd.exe	29
PID 940 wrote to memory of 1284	940	cmd.exe	29
PID 940 wrote to memory of 1284	940	cmd.exe	29
PID 1600 wrote to memory of 520	1600	GOLAYA-TOPLESS.exe	30
PID 1600 wrote to memory of 520	1600	GOLAYA-TOPLESS.exe	30
PID 1600 wrote to memory of 520	1600	GOLAYA-TOPLESS.exe	30
PID 1600 wrote to memory of 520	1600	GOLAYA-TOPLESS.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\salst\ogurets\all3.vbs

Filesize
358B

MD5
559c8ec72bf701870603c0f79907234c

SHA1
f3a809dee961f1f3d6c5c384596504981273fd77

SHA256
51611da1f1bedbfc97fa015b41bc5e5ebfe61b8eb2aca050d440c642dd0c41c6

SHA512
6616f4ac087e1b9e6f1bff0e5d844e316cddd5a2409e97b88118410475ab1bb544d59d6006940f74cad176470bc58112608d2b7bc01e71f0b232c6cdfa551a6a

Download Submit
C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs

Filesize
826B

MD5
b0350182dcd735cf07e9c501cff5e7a1

SHA1
6dc80006d0d6e0e1d136826ab0e2a6c9bc61b950

SHA256
9659ca4ab0f584f9f3bbb5135eb0d12ebc3d24cbbdc719c7d7338f59d401f410

SHA512
3ba96b3082f3a98a3adc452d1f52284bd49b2d035f0fbe960738324b624b8e2a70254bbed7a7f0d29ff6f5cd756f01f29d3fbba75419d9ed652879cdf79312ea

Download Submit
C:\Program Files (x86)\salst\ogurets\podkati.bat

Filesize
3KB

MD5
a131962527d3b919e7c23267a2b0cdc4

SHA1
e7d2e84d765b7c2011bb91c78c93da33227dcfc8

SHA256
72375ee539442bf129b7ad6c3dbc68728b16a2106cef403000f26a833dd12322

SHA512
cfd69e3b434c9b4262b929b02e7616151f2960df56cc632f8c0e4d6e3a2f724c34db7d71e1bc984bccd9cc0a39a77e6da86cc4d675c2af0d3ae09bf981694cbc

Download Submit
C:\Program Files (x86)\salst\ogurets\polenolll.pof

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\salst\ogurets\stuckja.jol

Filesize
64B

MD5
61391af0a6e3c8f6d08b46b623eb3c2e

SHA1
ffe8b74b2c5920b13fabd2f203ab2c6171be663a

SHA256
d0a90a49e36d502e4903b5062712bca9006ae0afd349d4e9a74789eb68189685

SHA512
f98bbbb3602936619714dcf787c3589948291e6e7a0c69f404e8b636a3c7ce608ac400b589b828f31270c550ef28f8a741fc40d8d018e28f0fe4512d50140180

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit
memory/520-61-0x0000000000000000-mapping.dmp

Download
memory/940-55-0x0000000000000000-mapping.dmp

Download
memory/1284-60-0x0000000000000000-mapping.dmp

Download
memory/1600-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing