864dbc273a1bccf6e980c120f0d64e125ffadb8b416d35d0af9689dc26083296

General

Target

GOLAYA-DEVOCHKA.exe
Size

149KB
MD5

e1fb70408c7945c6524c321063bd9570
SHA1

ebcd6a63fac9609c46e9c84708aa1e5701ee7775
SHA256

3e2da7a655e400f9e6ad442d4db21bac0a9528bc825aaaa8fdd97406458a59ed
SHA512

58751bd094dfc28c8b83085a480f70d1dfc97b990e69d90c4abe6ad5ec68c2a215445a664d5287bc624eab4175c2479fe6f0802b045fea61c12449af05f34814
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0higWrUzM/XP:AbXE9OiTGfhEClq9GWruyXP

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1368	WScript.exe
4	1368	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\salst\ogurets\Uninstall.ini	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\lit.vbs	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\122.txt	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\all3.vbs	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\Uninstall.exe	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\polenolll.pof	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\podkati.bat	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\stuckja.jol	GOLAYA-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1536	1976	GOLAYA-DEVOCHKA.exe	27
PID 1976 wrote to memory of 1536	1976	GOLAYA-DEVOCHKA.exe	27
PID 1976 wrote to memory of 1536	1976	GOLAYA-DEVOCHKA.exe	27
PID 1976 wrote to memory of 1536	1976	GOLAYA-DEVOCHKA.exe	27
PID 1536 wrote to memory of 1368	1536	cmd.exe	29
PID 1536 wrote to memory of 1368	1536	cmd.exe	29
PID 1536 wrote to memory of 1368	1536	cmd.exe	29
PID 1536 wrote to memory of 1368	1536	cmd.exe	29
PID 1976 wrote to memory of 1716	1976	GOLAYA-DEVOCHKA.exe	30
PID 1976 wrote to memory of 1716	1976	GOLAYA-DEVOCHKA.exe	30
PID 1976 wrote to memory of 1716	1976	GOLAYA-DEVOCHKA.exe	30
PID 1976 wrote to memory of 1716	1976	GOLAYA-DEVOCHKA.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\salst\ogurets\all3.vbs

Filesize
343B

MD5
a70714342e5ae422f1d4b0a7de156938

SHA1
17623bd5629d4aaead0b48625ec873b92a4d7a38

SHA256
b207e48398159a5637bbffa95c4dd0065172a973163d1bdf12e4f5dc716236fe

SHA512
acb2a805a6d5b372b049f167e36d5fb4614efc4dc3ebbb7a10b9bd6c1aa15b95a7da189f041db752481cf5ff7a52bc9536e324f52a531f4cde017bb08f4323f0

Download Submit
C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs

Filesize
743B

MD5
556b867977c81ea01eddf0d1dca64b09

SHA1
ff062063e4d879aba253391d65698ebe2e435f71

SHA256
16b74e98406c9237e29e4f943165f9bce680bcd2fdcb4179d8b8c4a474ff57c0

SHA512
8ad4380e76216d71403eba8c02da6536de86403f49b842b12b4dea6d5e09d7ced642717a0c004257db903538a4fdd4b341c2ef83568564fd0b9ca7ec45441867

Download Submit
C:\Program Files (x86)\salst\ogurets\podkati.bat

Filesize
3KB

MD5
29256f814d96aa9b1ba552ca27d5d8d1

SHA1
d9fa70fb8c7a1aa855b2d36e313e07951f9f5888

SHA256
7529f6ecd65340c10079f3dd2a902b2aeb5283cb26c3d6aeb9f16f98c247c3ae

SHA512
83638edabb754f0abc2bdbd09cdb6049869fea64ecbc8b13ae9a4d6ee03a8df4e64e73e3ac78b2811a46f0d6c2a6713f2d11d170eae18ec516de39574109a794

Download Submit
C:\Program Files (x86)\salst\ogurets\polenolll.pof

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\salst\ogurets\stuckja.jol

Filesize
43B

MD5
d78035c4c5b31de497461498fedee636

SHA1
e67dbea9bcc9deb3a93bc45bc936162ce431e1c5

SHA256
5d3a1308501ae2d5eac35d1166f833c6ee68bf4501789d7b8b0825373f5ede5c

SHA512
55da15d3f69422585bacfdc852780fa7c8db7b31a0cec251d7590a9850f919902d64e66c62d3e74ada9f8946fccd4f2988dd45533301d2580d7976b00b799785

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0021c993f6e270022b22a1f77f6797c1

SHA1
8f0081a7735307c166ec3a995716dd5306723410

SHA256
47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

SHA512
d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

Download Submit
memory/1368-60-0x0000000000000000-mapping.dmp

Download
memory/1536-55-0x0000000000000000-mapping.dmp

Download
memory/1716-61-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing