Analysis

  • max time kernel
    93s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 20:23

General

  • Target

    GOLAYA-BABE.exe

  • Size

    151KB

  • MD5

    dac386e7f20cfc2b696f170a74c08b32

  • SHA1

    9bb5ebaf5acd26aeaed14a0e1b523f82fd218684

  • SHA256

    eab9a0802104a987df42d7b337700c4b4da27d557f03899227646b04e65f992d

  • SHA512

    69e66a9c72dcf66105275ef3873bfa6a7facded688c4414ea9ea203aae5b7d2e3a86f44a4b755e6b972152f8aeebe121c9e8cafc6021132f6434571b67402624

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiSjVtrhDT2KOwedt:AbXE9OiTGfhEClq9SJxEt

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4048
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\nebo_i.utro

    Filesize

    56B

    MD5

    08f5781f51f212e1eab824fb947067a2

    SHA1

    78f4a49350ecb8db8baa7bf2ec62e41c6f8a2e8a

    SHA256

    b1c966f0472c74dee69fe70320abb378c8f644378a81fb80b7dd25f38b945ae3

    SHA512

    2216d0e06caa38ffd7f8778c7a361d26da7f3ea1a1c5575675352431d655c54c42af36638d5a1daa934e3f50534878adee3a6f58839a6000e7ea39599f7cb835

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs

    Filesize

    880B

    MD5

    453ef1bb7862dffc31b4e9a5fe42f577

    SHA1

    047de42ce3b251ad50f883053c574fdd9f7b0c63

    SHA256

    6d3ea080180aed6dfdab6d2b6b0788717fc2c9a603e5673a98db284ba39952cc

    SHA512

    e673232fbb227228cf3bfaee10a83341b462e6ea83c8c2dd1497b1286fe2a2e5b18ad59f59f90b1143935ac8b968dcd526f5d1cd3498c63fa712f569b47e7f1a

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat

    Filesize

    3KB

    MD5

    8cdb7cc395209f9738468a3efd8ff477

    SHA1

    9987efe7432c10121efc73c05b439297f143f305

    SHA256

    3b2cee0010b95715e7a05f2f3ad2015375ef8faed6adde1842ec1c07f2c33b62

    SHA512

    825a12a8ebe05a1f4f5e288013db82671c8fae4d95738174c07da73b1553a03edf1167e5e10cd435bff49e4fc8cc0b8e806a52e009d65741484942a75582b906

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs

    Filesize

    369B

    MD5

    8545976a86b8ce093854fd2edd1db345

    SHA1

    5f2b0299482a906fa25211a93a5b293fe74c2ec2

    SHA256

    f24e2023c90241e084dd303437aabff324096faeba43debdad243f98c063903b

    SHA512

    c78ec6a7d33774d1658d26c2906ac686d377140e55c30baedcd61a4c4373f0a29da2c68d91b39007265186e0c582c8608ab089b39bedffe8a02f256317395d0d

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\serdtse_toskuet.iop

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    6ab0366c27f08185c0d4375c02596855

    SHA1

    f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

    SHA256

    489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

    SHA512

    3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

  • memory/116-137-0x0000000000000000-mapping.dmp

  • memory/1468-132-0x0000000000000000-mapping.dmp

  • memory/4048-136-0x0000000000000000-mapping.dmp