f4c91d53f51927c942dff396246c4b3b5c64b8bb33f2ceb518e1c9752eeb2060

General

Target

GOLAYA-PHOTO.exe
Size

174KB
MD5

1ff3421e7ddfa60dcc30d18fac2913a8
SHA1

d93499e78895ee7dcfb38be26e7a227cc1d45d71
SHA256

d8e50905e0280d0182d1d5eb87407f405448505fcae27353e0e8ff74f9bbf545
SHA512

bf068d5e20409f83b32f7b0497fd213f1f26a2bc7c61f1ca2f1b3449449b24427ad3effa842234ce70703912c2d09bdbbd622652167169991460369d38d4c806
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0hAeFVq4jMY1R2VE0A9WdDzi0jlp2l:3bXE9OiTGfhEClq9ZY2Vmex6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	660	WScript.exe
4	660	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\Uninstall.exe	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\zakolot_telku.nah.ico	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\mnogo_telok_i_nada_vseh_ebat.ffak	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\chetireh_sten\temni\Uninstall.ini	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1148	1288	GOLAYA-PHOTO.exe	27
PID 1288 wrote to memory of 1148	1288	GOLAYA-PHOTO.exe	27
PID 1288 wrote to memory of 1148	1288	GOLAYA-PHOTO.exe	27
PID 1288 wrote to memory of 1148	1288	GOLAYA-PHOTO.exe	27
PID 1148 wrote to memory of 660	1148	cmd.exe	29
PID 1148 wrote to memory of 660	1148	cmd.exe	29
PID 1148 wrote to memory of 660	1148	cmd.exe	29
PID 1148 wrote to memory of 660	1148	cmd.exe	29
PID 1288 wrote to memory of 1916	1288	GOLAYA-PHOTO.exe	30
PID 1288 wrote to memory of 1916	1288	GOLAYA-PHOTO.exe	30
PID 1288 wrote to memory of 1916	1288	GOLAYA-PHOTO.exe	30
PID 1288 wrote to memory of 1916	1288	GOLAYA-PHOTO.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs

Filesize
331B

MD5
9fb9fa8b1eba7579ab59c35c55c4381a

SHA1
68f72d042b70aff1b1f2b3cad791c0237c5ff372

SHA256
42f3fa8e95d4e4040407020bd72219aed19fdd7517f9d1aab0bad1d1a80364d0

SHA512
f5f1f42e7bcef749a02b441659454f55d3d360fa8ea9fef5a4991691b02f5253a9c17a87e9da07db6f5d8d403824d42222da8a4dd025c563d44e42e2a49c6af2

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs

Filesize
1002B

MD5
587b6535dbafe432757dda5cc75037ed

SHA1
aac3f1ba914317b81a18f9d7fc9286fd61024b22

SHA256
53914090a33c0297333f7b74089cf20c161b054ddeef08c01307a9f809d54c1f

SHA512
944e71fb14f875007377f1aacc55df9667cd5668744f5feb036f579ebfda786e20cc295df21fa6c49738445a8f9cec09dcfaa2a0d36d08c34534a831b5d2d5ad

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet

Filesize
59B

MD5
3e6372db557177e9ca76c4f471cf130c

SHA1
3e851ddf47bebe13f3495525bae5997efacd422c

SHA256
6b93cb0efdc95ac559151fb9102454da1cd5627f7ec2f9f30134089ebdc232b0

SHA512
642ddb68f154bef58c054cadba7f654ff702a1949fce2233ae226add187ccfe21052f59b56caa69fa1a078707564bd7e24ecca8796396557364a15abf0bfdeb1

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat

Filesize
4KB

MD5
8c4ab3cd1af662f75273749f14d29a2f

SHA1
92966676820b011c316d63830fd01dce4123ab96

SHA256
3bbb56e6019bd19df88fd1f50b617e34cc0d9df000496fd66b14fbdb71574c95

SHA512
0a56c157abb0187eba251145d017c5c4fe508dd3ff43ff3ee0b7857406437f9bb5ceee55c16b0fb01c44cfc93a55556c54e082fd8d6bc0d414a1e99cc69ed9b7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1064c483d3c5ea2bad9e228588d8c0ff

SHA1
4dba4163a55289c098cebf4e9b1c086b164bb02e

SHA256
494ca7f617f176dd5cb8c4cec40c880d1d9478e3b5b1855c8a53fc236c3102e0

SHA512
6d426289e218ed9f11148e85552e34cc7299f548c2cb5e800744d0bdc1f40618a8f1df41b317364dfa1b3aa6c81ea99e9a8b6e7426840ae5913d5c84674ed0ce

Download Submit
memory/1288-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing