Analysis
-
max time kernel
113s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-09-2022 17:26
General
-
Target
GOLAYA-SEXY.exe
-
Size
149KB
-
MD5
082651eefe9806f50fb938f393148d45
-
SHA1
61817d9547cbfc0490511c8599261b62adbc61fa
-
SHA256
dd854c4d604f2add306b0e004097c9fb897b4107f02407d4b521abbc22919bbd
-
SHA512
3c8cd68bd19fb0fbb40ed1a5f53d7f83f152c4aced62e137bd7771303da26a4e74ce2648958909f2f92506ea2508665d7139a11b0568740104df87b68bcaf994
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiIvh5iBZ:AbXE9OiTGfhEClq9SE
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"3⤵
- Blocklisted process makes network request
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"2⤵
- Drops file in Drivers directory
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299B
MD5399aafbff20b97ae2c6119061d41cbd0
SHA13056f90e2696e9564c9a3419cc7a7c03ef14b429
SHA256898eebf1486b8d382f0001cec8604b4711d21e3015334bd5a49f60d39ebdc1fe
SHA51285627296a59270aa783bf64d55d2560d9ee18eaa9de88deae4b8170581bd18450f53bfbbd9bdb6ec3a99ac8a06545252a1b10a13fa3584bb75dae4f917ed1606
-
Filesize
744B
MD52b3d8e8acf083e55fdbaa04a313e082c
SHA1d472ce8d0786478cc1f5bb1b8d9ba9085fc3ade3
SHA256f75b5d1d65c4668e1c9833d7ef4dcd04013d7f1e52f80b579011cf12ba6f0846
SHA512055609e1ac6e2824f5d02082e4da0995c7c1757543003cd5aa134adbf344c4c52d6d5361c909c9163dd017bc5fe6f52a5c47dc235ae77df31da8dc1bdd5a6085
-
Filesize
3KB
MD532476fdee702c96f10c2bf839d4999ea
SHA16eba74027756760c7a3b22957efc215fbf9871e5
SHA25678a635131e9f79f01185e120ecd29fb09260b56b678fccd3b23245fac2b673d3
SHA512a5b73557a2293aff4b3d0e5a2f185af54abdda68ea40b5f167271da91e32f199af06bc60a6d6da4faeef960bf9844b538788745bf4c5a590807081cb6f280234
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
51B
MD52f3e6a7cead939112e164924c1f10781
SHA133cd402d053f7597c1b825892929295e6834c35c
SHA2569e32bfeb04a302900d18c7dbed95d648b766741a387001a1ef6ce32276c73136
SHA5129005e318a904b7880f43e568230fd38e5a75d20f30f48b25058dad74b17d94d02bde1dbf9ee0bb931e8748f05087ab8b2116e4c00de3d134abb330bc07044ff2
-
Filesize
1KB
MD50021c993f6e270022b22a1f77f6797c1
SHA18f0081a7735307c166ec3a995716dd5306723410
SHA25647195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad
SHA512d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6
-
-
-