Overview

overview

8

Static

static

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    100s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2022 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    149KB

  • MD5

    082651eefe9806f50fb938f393148d45

  • SHA1

    61817d9547cbfc0490511c8599261b62adbc61fa

  • SHA256

    dd854c4d604f2add306b0e004097c9fb897b4107f02407d4b521abbc22919bbd

  • SHA512

    3c8cd68bd19fb0fbb40ed1a5f53d7f83f152c4aced62e137bd7771303da26a4e74ce2648958909f2f92506ea2508665d7139a11b0568740104df87b68bcaf994

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiIvh5iBZ:AbXE9OiTGfhEClq9SE

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1752
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\salst\ogurets\all3.vbs
    Filesize

    299B

    MD5

    399aafbff20b97ae2c6119061d41cbd0

    SHA1

    3056f90e2696e9564c9a3419cc7a7c03ef14b429

    SHA256

    898eebf1486b8d382f0001cec8604b4711d21e3015334bd5a49f60d39ebdc1fe

    SHA512

    85627296a59270aa783bf64d55d2560d9ee18eaa9de88deae4b8170581bd18450f53bfbbd9bdb6ec3a99ac8a06545252a1b10a13fa3584bb75dae4f917ed1606

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs
    Filesize

    744B

    MD5

    2b3d8e8acf083e55fdbaa04a313e082c

    SHA1

    d472ce8d0786478cc1f5bb1b8d9ba9085fc3ade3

    SHA256

    f75b5d1d65c4668e1c9833d7ef4dcd04013d7f1e52f80b579011cf12ba6f0846

    SHA512

    055609e1ac6e2824f5d02082e4da0995c7c1757543003cd5aa134adbf344c4c52d6d5361c909c9163dd017bc5fe6f52a5c47dc235ae77df31da8dc1bdd5a6085

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\podkati.bat
    Filesize

    3KB

    MD5

    32476fdee702c96f10c2bf839d4999ea

    SHA1

    6eba74027756760c7a3b22957efc215fbf9871e5

    SHA256

    78a635131e9f79f01185e120ecd29fb09260b56b678fccd3b23245fac2b673d3

    SHA512

    a5b73557a2293aff4b3d0e5a2f185af54abdda68ea40b5f167271da91e32f199af06bc60a6d6da4faeef960bf9844b538788745bf4c5a590807081cb6f280234

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\polenolll.pof
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\stuckja.jol
    Filesize

    51B

    MD5

    2f3e6a7cead939112e164924c1f10781

    SHA1

    33cd402d053f7597c1b825892929295e6834c35c

    SHA256

    9e32bfeb04a302900d18c7dbed95d648b766741a387001a1ef6ce32276c73136

    SHA512

    9005e318a904b7880f43e568230fd38e5a75d20f30f48b25058dad74b17d94d02bde1dbf9ee0bb931e8748f05087ab8b2116e4c00de3d134abb330bc07044ff2

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    0021c993f6e270022b22a1f77f6797c1

    SHA1

    8f0081a7735307c166ec3a995716dd5306723410

    SHA256

    47195bd86b55e24282ce44af1889353c2ec9aafe4897757759ec05d263fa5dad

    SHA512

    d65404624973d9e2fa8a16511ad0a1ab5a0f232a6ba74e84f69e3443496ea6a580f538cbcd7f160993315b4cfa40897dc548d70ff61f01a0b81a1437e09b5fd6

    Download Submit

  • memory/2040-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB

    Download