7abf745c48c4f06f482c773bce6cbb244af3299978fbdab9f480b9373b4c2902

General

Target

GOLAYA-PHOTO.exe
Size

151KB
MD5

aaf0874d953648fd0ad4e3c5feafadf4
SHA1

7cb3b848597874b9cede25f50384b6a8fb7e6b52
SHA256

0dd70b2100074429aaf6cd7e05fc1a59a99b966e7e9cece0bd2c480cf22af506
SHA512

874e5dcbcba54fd42360a55b8856c6f4820bd688a2c6ed658a72fd20d359456e08bf020ab86b97027f62b8b08fe0b94ef09b6342ccb8afa695778b45cfeccb1f
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hihuknsA/ys79aWi:AbXE9OiTGfhEClq9Djn9/xgWi

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1504	WScript.exe
4	1504	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\tom_ebet_vseh_bab.ololo	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\solnisko_moe_vstavai_laskovi_i_takoi_krasivi.lol	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\Uninstall.exe	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\Uninstall.ini	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1352	1516	GOLAYA-PHOTO.exe	27
PID 1516 wrote to memory of 1352	1516	GOLAYA-PHOTO.exe	27
PID 1516 wrote to memory of 1352	1516	GOLAYA-PHOTO.exe	27
PID 1516 wrote to memory of 1352	1516	GOLAYA-PHOTO.exe	27
PID 1352 wrote to memory of 1504	1352	cmd.exe	29
PID 1352 wrote to memory of 1504	1352	cmd.exe	29
PID 1352 wrote to memory of 1504	1352	cmd.exe	29
PID 1352 wrote to memory of 1504	1352	cmd.exe	29
PID 1516 wrote to memory of 1740	1516	GOLAYA-PHOTO.exe	30
PID 1516 wrote to memory of 1740	1516	GOLAYA-PHOTO.exe	30
PID 1516 wrote to memory of 1740	1516	GOLAYA-PHOTO.exe	30
PID 1516 wrote to memory of 1740	1516	GOLAYA-PHOTO.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs

Filesize
951B

MD5
f2595768bf7424b0030864bca0386b09

SHA1
e1b8bbcc901deb8708d851bf67f81946a804f783

SHA256
8cbe82719aff3cceb24da590e35835dc85d8030208040c4f93e4b11e719b8d73

SHA512
3d0a3fe27855368db7f36e3318953651f837dde6716d9de6a37f902d612edce31da80462c7f52fb42d4a52092099cc5ca00f94e0d2061d7b1d29b4b526b6e9a3

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei

Filesize
61B

MD5
9404104eb96e6b369093f58ad743f20d

SHA1
5c35fe22aeccce534b5f643ea7aadfce960a273e

SHA256
ba512a6beb542413a6c772c73b6137295cfaff9ef6dc1dbd96846082d8175545

SHA512
1c6f904f27811589682e26be099a8827fbca6467d351973a2ce5d5b0aca2efc0c30cbb38f7b466558e7c1db7d381c8a4ec75cc88579ad364184ab1e3b1ff599b

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat

Filesize
4KB

MD5
b4f31c6ccfcad7e15bcca836ee0047dd

SHA1
8118abbfe00fa91c241a464c83595ccd7184b775

SHA256
75829affabf18b574faf07101723a1d3decca372dd641767123d381055bcea89

SHA512
fe40b18a7e9c996f99c45088b12c746e6ad624441d23ce47119d6881039dfd49b3d5556950fa9df69bd9e640ef362def6effdb7d5822205f730c9e4bf73f853a

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs

Filesize
336B

MD5
a36a38933baa8764f1a2ca6213774425

SHA1
e8bfcff2fa5bf5e96b7c4f5e78b2252efb3c9ee5

SHA256
fe25059fe3fcfbf036bc5c7597804bc8c056cac2b21bbd01e42958d0c76bc1fa

SHA512
b637ba599a11b3797fc2e506ec3b681e9ca50f81641ef7c30b7758babebcdea475649d8577f01f9426c7a6d7a7dde715476edd5ff03ff5b159f9aaf194765d2f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
22cf8376bd7251da68d1ac0c6231e294

SHA1
d8388e49907f5a80b2be219665a7fe2607204bc4

SHA256
18bf7cfa28c572d4c2be927596d30c4e9c82e0a695963c1f7209eb5c6b119592

SHA512
541c1589234965c5a64e6ed7fdb332b5a065cc1e2d555928a51aec14aaf57793844fc63724a1878bd1abba8bb641d6879a5311454616cdbf7509e85dcd52e446

Download Submit
memory/1516-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing