a6c277ed9c942b84feb164b7df1a874e0b3dde1636d40f35b77a259dd47ed623

General

Target

GOLAYA-RUSSKAYA.exe
Size

149KB
MD5

1a85fb803be48d4b605ebe3bfc4da62a
SHA1

2aa2b1a0313ea2b0f93a42c5c68a3dfc34f3be6f
SHA256

5b786fc82a774f220e3fc06b74a2f091d7aa30cdc84ed78851fdf1ea0932cb42
SHA512

2691bb8c2dd3b1612e38db8e1bb9ef73576b59af19ae6191f9741bc75f34361205ed684f1ce6151c0f9787f3dea22683444d32f6d47bc721e2a2dd000ccb65ca
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiWC23gO3EwUGPN:AbXE9OiTGfhEClq9F23gO0wUGl

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	4964	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GOLAYA-RUSSKAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Produc\New\nadopilitsa.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Produc\New\poppets.txt	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nevedomaya.hernya	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\Produc\New\nadopilitsa.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Produc\New\Uninstall.exe	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\Produc\New\Uninstall.ini	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nuashks.bat	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\samisok.vbs	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\Produc\New\nadopilitsa.nabazu	GOLAYA-RUSSKAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	GOLAYA-RUSSKAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3576	3456	GOLAYA-RUSSKAYA.exe	80
PID 3456 wrote to memory of 3576	3456	GOLAYA-RUSSKAYA.exe	80
PID 3456 wrote to memory of 3576	3456	GOLAYA-RUSSKAYA.exe	80
PID 3576 wrote to memory of 4964	3576	cmd.exe	82
PID 3576 wrote to memory of 4964	3576	cmd.exe	82
PID 3576 wrote to memory of 4964	3576	cmd.exe	82
PID 3456 wrote to memory of 3152	3456	GOLAYA-RUSSKAYA.exe	83
PID 3456 wrote to memory of 3152	3456	GOLAYA-RUSSKAYA.exe	83
PID 3456 wrote to memory of 3152	3456	GOLAYA-RUSSKAYA.exe	83

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Produc\New\nuashks.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\nadopilitsa.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\samisok.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Produc\New\nadopilitsa.nabazu

Filesize
269B

MD5
f8e76085c4bab58dcb161028c3aae9c9

SHA1
764af0a064b08e40beeab421df76d3c7fb389c75

SHA256
e7388abfc5e55e53c9a06f74e6000107b15641c3d99fe89d9f990584049b4ad6

SHA512
7c557fdee8163233be08a494955b02af789d37fefc5429b966079c83950f4b79ec50c7f521ba0cc72cb762c300ab96ce72c1bc90a3eca6eeed67e1a2614a8b61

Download Submit
C:\Program Files (x86)\Produc\New\nadopilitsa.vbs

Filesize
269B

MD5
f8e76085c4bab58dcb161028c3aae9c9

SHA1
764af0a064b08e40beeab421df76d3c7fb389c75

SHA256
e7388abfc5e55e53c9a06f74e6000107b15641c3d99fe89d9f990584049b4ad6

SHA512
7c557fdee8163233be08a494955b02af789d37fefc5429b966079c83950f4b79ec50c7f521ba0cc72cb762c300ab96ce72c1bc90a3eca6eeed67e1a2614a8b61

Download Submit
C:\Program Files (x86)\Produc\New\nevedomaya.hernya

Filesize
48B

MD5
7215ed14e21d41517551593a906dfa9e

SHA1
572ec6424f46b19e5b1a0ebcb58df8efadaa37aa

SHA256
248f4f03a3bac68d3f2231e72dcdb82d16ba4a49631306e231200c36a4d7d6b6

SHA512
c81fcc628b6178017cacdbf7c57b5bd3304ea1e6a43b4c8164082f6d701f7f03c16d3026b011819ee76cb4609ca8c00e70566382cd839fba9fe714e1d0a1f7e5

Download Submit
C:\Program Files (x86)\Produc\New\nuashks.bat

Filesize
3KB

MD5
3e4c3d96bb56bf7fd6de66b193f86d04

SHA1
cf58adf14aa9cf5c4ebe270edd10910d88180bde

SHA256
e0eb677d3ad428b7760958924f2701654b40b6de1059aed2a94174ca5ec50214

SHA512
6037db447934cd702d7bfbbf0d918fccf54c341dae8a9148dc5f2cbf4226184d9b6eec47196a0ec98bb70dd78dcc1bcdc0c12c542c5e7459460d1c4cd99b563d

Download Submit
C:\Program Files (x86)\Produc\New\poppets.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Produc\New\samisok.vbs

Filesize
790B

MD5
a72404d8d2ce31b6373ae35bb11e9de2

SHA1
72bbc15ccb7823161482cc2997bd02ec212b9f4f

SHA256
3c9a8a034780f0a757c06db040a8342a3f9331f150ebab6144beee795fa01ae2

SHA512
29d871a39dc174f364ee4b04d34be54f4369178c2266ff62090866a428bc69c6b7f54ac10d2a48ef73d2d3b531966f6597be55ee3e9b25eb4746b4a0f884f900

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit
memory/3152-138-0x0000000000000000-mapping.dmp

Download
memory/3576-132-0x0000000000000000-mapping.dmp

Download
memory/4964-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing