Overview

overview

8

Static

static

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    239KB

  • MD5

    471ee52782395766d6e60db78eea6bf1

  • SHA1

    86886592b9281a9b640c06b3cb7742955405d0ee

  • SHA256

    f251a94739170aaf1ad716e6f31645cc3bb2350fc5e0ccc135511d9618f0386c

  • SHA512

    c2759eff3ce5ebebbe779bda325a1b35d1c9a10c06f15c99f1b3ac760ed9376540a20c0bb99f406db46b6e20ae361ac7c41bc5b1edfc981daed89bc2f89327dd

  • SSDEEP

    3072:OBAp5XhKpN4eOyVTGfhEClj8jTk+0hbRBrICPwXAFxTTw1BV56nt1UrknjaT5/e4:lbXE9OiTGfhEClq9aW6EBMbJ4JJUG

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\win23driverKernek\batreya\russkaya_vodka_chto_ti_natvorila.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:688
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2272
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:5096

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.ore
    Filesize

    820B

    MD5

    4e0ba70e25a10a41ab7f3df17350884b

    SHA1

    530967e7981801923e11fa1c7016ee96cc4fcf2a

    SHA256

    faf5106c623b2604eaeb4e660e5a2773a5c8f77fcfaf17fb2f3de8a95f368e24

    SHA512

    b1cfcb19de374a8172f033b9865a66a5de71cea7b4fcafef56b138b1d9d8ec96f4f197f87112ffbb80c4b10c7027d3433cc5b1b0082ac0a6eaafb15e45fa7c5a

    Download Submit

  • C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.vbs
    Filesize

    820B

    MD5

    4e0ba70e25a10a41ab7f3df17350884b

    SHA1

    530967e7981801923e11fa1c7016ee96cc4fcf2a

    SHA256

    faf5106c623b2604eaeb4e660e5a2773a5c8f77fcfaf17fb2f3de8a95f368e24

    SHA512

    b1cfcb19de374a8172f033b9865a66a5de71cea7b4fcafef56b138b1d9d8ec96f4f197f87112ffbb80c4b10c7027d3433cc5b1b0082ac0a6eaafb15e45fa7c5a

    Download Submit

  • C:\Program Files (x86)\win23driverKernek\batreya\russkaya_ssamogonka.oik
    Filesize

    140B

    MD5

    dae61dbfd043dac82526273abec1fda7

    SHA1

    670b1eaad8f3b90e64b5fe86a21131b5b26a88ad

    SHA256

    aa3372f1891436b400d2a9801240d4d873e9b8536017e746442981b9ffc34e0b

    SHA512

    34bf3873ae6e4847c0e0ab4ee2abcb65c459702e0b7ee1eade2cd28eb55593e8e3f242f957d66b87faed53b77d7360dc4a56158159445455b207757212205ae3

    Download Submit

  • C:\Program Files (x86)\win23driverKernek\batreya\russkaya_vodka_chto_ti_natvorila.bat
    Filesize

    1KB

    MD5

    a0e4b0af6ef6d5905942811885bebf5c

    SHA1

    69ea8a265dc04c30d5fccbf74b47f73f00e3199c

    SHA256

    3e88b7dc1ec84123ed853fdce0aae4816b1fac10c78ee419af5f98c4210ec55a

    SHA512

    248585e56bb7e2b5bfd6789be145e2f59aa054a69779ffca9057eab26a667973f3c0bcff6425103dcd0abc26310da0173f4943931072f6bb0499453eaed56ed4

    Download Submit

  • C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.ogo
    Filesize

    689B

    MD5

    2ee41d11db94e703fb0c2ed233cebb09

    SHA1

    aae4a0b05a112060f19a7d851aa32f2f02fe4670

    SHA256

    daecfc85967a5c12620ad05274e70d969d7f51fe368dbaa588d530f341ada135

    SHA512

    78f6120559d75322d6bc0b3a638d980599ddf81fa28f403dd751ff89b5544d6a4303660b91d07e4ce077155ef67240d2bc8f6c5561ec033ce8ad162cd400c170

    Download Submit

  • C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.vbs
    Filesize

    689B

    MD5

    2ee41d11db94e703fb0c2ed233cebb09

    SHA1

    aae4a0b05a112060f19a7d851aa32f2f02fe4670

    SHA256

    daecfc85967a5c12620ad05274e70d969d7f51fe368dbaa588d530f341ada135

    SHA512

    78f6120559d75322d6bc0b3a638d980599ddf81fa28f403dd751ff89b5544d6a4303660b91d07e4ce077155ef67240d2bc8f6c5561ec033ce8ad162cd400c170

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    e756b71be76cd80a2dc3ae04deb9a309

    SHA1

    7cc93e6c927aa0bd1c83e5696e6195562ed27525

    SHA256

    4751e738816cbeae753aff68419fefd0817d6969b60db28b94d3de743abc20e7

    SHA512

    8db0b9f09ad3e16c1eddc900d0c75fdf447044fdaceefc44e778bc38dc62289fd0e134dd40453f0b9911a14c423cb92c3b6ef28bc16a66cd3aaa7ddab9b3a1a5

    Download Submit