Analysis
-
max time kernel
93s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
GOLAYA-BABE.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GOLAYA-BABE.exe
Resource
win10v2004-20220812-en
General
-
Target
GOLAYA-BABE.exe
-
Size
151KB
-
MD5
dac386e7f20cfc2b696f170a74c08b32
-
SHA1
9bb5ebaf5acd26aeaed14a0e1b523f82fd218684
-
SHA256
eab9a0802104a987df42d7b337700c4b4da27d557f03899227646b04e65f992d
-
SHA512
69e66a9c72dcf66105275ef3873bfa6a7facded688c4414ea9ea203aae5b7d2e3a86f44a4b755e6b972152f8aeebe121c9e8cafc6021132f6434571b67402624
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiSjVtrhDT2KOwedt:AbXE9OiTGfhEClq9SJxEt
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 12 4048 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation GOLAYA-BABE.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs GOLAYA-BABE.exe File created C:\Program Files (x86)\na_dva\vesna_nebo_i\Uninstall.ini GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\serdce_bolit.ico GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\serdtse_toskuet.iop GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\nebo_i.utro GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\tut_booovshe.poher GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\na_dva\vesna_nebo_i\Uninstall.exe GOLAYA-BABE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings GOLAYA-BABE.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4808 wrote to memory of 1468 4808 GOLAYA-BABE.exe 82 PID 4808 wrote to memory of 1468 4808 GOLAYA-BABE.exe 82 PID 4808 wrote to memory of 1468 4808 GOLAYA-BABE.exe 82 PID 1468 wrote to memory of 4048 1468 cmd.exe 84 PID 1468 wrote to memory of 4048 1468 cmd.exe 84 PID 1468 wrote to memory of 4048 1468 cmd.exe 84 PID 4808 wrote to memory of 116 4808 GOLAYA-BABE.exe 85 PID 4808 wrote to memory of 116 4808 GOLAYA-BABE.exe 85 PID 4808 wrote to memory of 116 4808 GOLAYA-BABE.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat" "2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs"3⤵
- Blocklisted process makes network request
PID:4048
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs"2⤵
- Drops file in Drivers directory
PID:116
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56B
MD508f5781f51f212e1eab824fb947067a2
SHA178f4a49350ecb8db8baa7bf2ec62e41c6f8a2e8a
SHA256b1c966f0472c74dee69fe70320abb378c8f644378a81fb80b7dd25f38b945ae3
SHA5122216d0e06caa38ffd7f8778c7a361d26da7f3ea1a1c5575675352431d655c54c42af36638d5a1daa934e3f50534878adee3a6f58839a6000e7ea39599f7cb835
-
Filesize
880B
MD5453ef1bb7862dffc31b4e9a5fe42f577
SHA1047de42ce3b251ad50f883053c574fdd9f7b0c63
SHA2566d3ea080180aed6dfdab6d2b6b0788717fc2c9a603e5673a98db284ba39952cc
SHA512e673232fbb227228cf3bfaee10a83341b462e6ea83c8c2dd1497b1286fe2a2e5b18ad59f59f90b1143935ac8b968dcd526f5d1cd3498c63fa712f569b47e7f1a
-
Filesize
3KB
MD58cdb7cc395209f9738468a3efd8ff477
SHA19987efe7432c10121efc73c05b439297f143f305
SHA2563b2cee0010b95715e7a05f2f3ad2015375ef8faed6adde1842ec1c07f2c33b62
SHA512825a12a8ebe05a1f4f5e288013db82671c8fae4d95738174c07da73b1553a03edf1167e5e10cd435bff49e4fc8cc0b8e806a52e009d65741484942a75582b906
-
Filesize
369B
MD58545976a86b8ce093854fd2edd1db345
SHA15f2b0299482a906fa25211a93a5b293fe74c2ec2
SHA256f24e2023c90241e084dd303437aabff324096faeba43debdad243f98c063903b
SHA512c78ec6a7d33774d1658d26c2906ac686d377140e55c30baedcd61a4c4373f0a29da2c68d91b39007265186e0c582c8608ab089b39bedffe8a02f256317395d0d
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
1KB
MD56ab0366c27f08185c0d4375c02596855
SHA1f9ff3458ec4b5b5aa94eec1e3a212a7921b50478
SHA256489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee
SHA5123a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4