Overview

overview

8

Static

static

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    63s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    149KB

  • MD5

    13135ec7bee7db877b3654059374ebde

  • SHA1

    f3f3a8c6b395211ebdbb2a73769e21c401d34e0c

  • SHA256

    7dbe9bdea098a5cb0608135c1705d2aa2e080ebc4146a02001a793ff0970252a

  • SHA512

    3f7eb418322b1abbe60b2fa6845ffb3e530808739b0dc542707c713f83bc4b02a4a1568a28e9badeb71bd5512e14a47387abe80b2edf0b440f2c40cc3cc08db8

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiqtAhp:AbXE9OiTGfhEClq9QtAhp

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Company\NewProduct\koollapsa.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\al99999.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:856
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\all2.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\al99999.pp
    Filesize

    234B

    MD5

    0ed4d363b23de2f2e155f12a2caad6c6

    SHA1

    ca01261735a2368e29c3b2695e0156a447099aa2

    SHA256

    0832d445cecf5f174085cb2209c073f83c5ddc48c95d8d1642eaba37c2ab5567

    SHA512

    7d889d3be545c1aff88db384923d88aa229fbd66540dae0b788e12ed58573e4b3f7c52c2d5db18343fc3a33382b6e169c2cca7233778700da1df5cd16d055e4f

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\al99999.vbs
    Filesize

    234B

    MD5

    0ed4d363b23de2f2e155f12a2caad6c6

    SHA1

    ca01261735a2368e29c3b2695e0156a447099aa2

    SHA256

    0832d445cecf5f174085cb2209c073f83c5ddc48c95d8d1642eaba37c2ab5567

    SHA512

    7d889d3be545c1aff88db384923d88aa229fbd66540dae0b788e12ed58573e4b3f7c52c2d5db18343fc3a33382b6e169c2cca7233778700da1df5cd16d055e4f

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\all2.vbs
    Filesize

    678B

    MD5

    bf72f45eb64682832ec502a1d3d2fe36

    SHA1

    a77c4751b9a679c0b31c1d854dffaf0d2886d4ab

    SHA256

    c2efdbb412e438c9d74954778935676013f4485bf16d8076b23c191a3f81fa05

    SHA512

    438832c895db8d26dcbfb9ac3575d4f6478649c871ca9c52b588cec751a5eb6ad187c5f00a0b6d150205036a306e4ab8000a1f16a54cfb7d783b4492a1be0407

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\hhhh.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\koollapsa.bat
    Filesize

    3KB

    MD5

    2180c017ea68ff374d8a37aea32f6b8d

    SHA1

    bdc5a525249a41e434cba309e79b8eac0aeb6865

    SHA256

    e541a4b41252542251096f388810d4ec2d0e1f1e96f222134982d95581abd3a1

    SHA512

    a70d00862535e055fc7283d367921f1f037ea1fce71b57bdd74463f00428eb2dd5b8006cb61ce882e586cce8825c620f202498ceaaa8d727cf16a5d4aef29aca

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\slonik.po
    Filesize

    65B

    MD5

    ad13b5db4d7ddfa3f5239e5b5f06e8e5

    SHA1

    24c28d82adacac1b118f5d1abbc12218583431e9

    SHA256

    7dc870d6e2fb495c37409b887f79e02d74bdd6bef3ba45a8ac8a3003d33ae73e

    SHA512

    4b71633dcf9f5ad986cc09c22da7956a7b006563df4e752cc9d3507743c4c3dc55a309a68fe17ef8a0c6779ae694dd55b7f61c4b3638cf8806722a6fbdf8af03

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    0021c993f6e270022b22a1f77f6797c1

    SHA1

    8f0081a7735307c166ec3a995716dd5306723410

    SHA256

    47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

    SHA512

    d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

    Download Submit

  • memory/856-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1492-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1584-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1776-55-0x0000000000000000-mapping.dmp

    Download