719d1250f234275a1721437c74fbce5f04171eaf1383ababb7b5634c4f18569e

General

Target

GOLAYA-BABE.exe
Size

151KB
MD5

732332e3aac9fae720a0f66d77ad2e7d
SHA1

9c6880999778d124a28d9866a617b7077837de39
SHA256

284436b0d48891c7b96d813bb56af83856f8ba881170cc6b0bc9f538af04e492
SHA512

03322a54ed3d494e68e88e41cbffcd18a06e163452a44da0c70423b7b8db423d00695f5e6b1cd968be7a6517f533a11df54a2c9faf1a26fc67833fbb3798a053
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiloRmDdzZl5ZX9iPd8YwjajE70zq:AbXE9OiTGfhEClq9JkdvgTGq

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	3764	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\eto_trava_detka.ggg	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\come_to_my_window.aga	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\alone_ndklokajos.olpo	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\tooo_my_blooood.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\come.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\Uninstall.exe	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\seduksenchuk.ico	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\what_you_say\be_youself\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\what_you_say\be_youself\zapuskalka.bat	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	GOLAYA-BABE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2296	4864	GOLAYA-BABE.exe	81
PID 4864 wrote to memory of 2296	4864	GOLAYA-BABE.exe	81
PID 4864 wrote to memory of 2296	4864	GOLAYA-BABE.exe	81
PID 2296 wrote to memory of 3764	2296	cmd.exe	83
PID 2296 wrote to memory of 3764	2296	cmd.exe	83
PID 2296 wrote to memory of 3764	2296	cmd.exe	83
PID 4864 wrote to memory of 2468	4864	GOLAYA-BABE.exe	84
PID 4864 wrote to memory of 2468	4864	GOLAYA-BABE.exe	84
PID 4864 wrote to memory of 2468	4864	GOLAYA-BABE.exe	84

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\what_you_say\be_youself\zapuskalka.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\what_you_say\be_youself\come.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\what_you_say\be_youself\tooo_my_blooood.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\what_you_say\be_youself\come.vbs

Filesize
402B

MD5
3cfcd777e4d539ecd92d65282ed756cf

SHA1
4925469b4a1ed0fc93fb2f99c83b37d673299098

SHA256
0ea14c85660ea10d494629c4a22de22f7a0a39a22ec69522fa1f1cd615411101

SHA512
5ff08cec960a2f529152c44e570362b15d17b0e96b2b97c61c42f9da6ccbf7d9c8db7263023cf3e42b3ab5ee6a8b8934ad76804217bce5b91aca0e4a4280fcfa

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\come_to_my_window.aga

Filesize
76B

MD5
264b3b49e7fe3e37fd0647bfd3eb753e

SHA1
b06c90a1379436ea5ca067f49a10878c94036a08

SHA256
b771ca8c63059dbb7badcedf4a340e6eaf3b9a79cc0bf1cecbc11583eda5fabc

SHA512
1a099b9580ef0550c24e692b10e219125323a783591efb08e086348ef54edf1fbe652dc39116b9d4eced5a80e044cd131fdc6a5af21b0be747607d362db31ff9

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\eto_trava_detka.ggg

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\tooo_my_blooood.vbs

Filesize
984B

MD5
43308fc23375b4137bb909672eadf19a

SHA1
355bc0106ee89aaa02c73ed336b2b839abc58c8c

SHA256
e9e2c1ec5bc7cd51c74031dfcb77dfe8c818427bfcfffda7134bd600e7c47236

SHA512
cee72474ef7e58c2850caba2d34d31c652592d8bf4d6321a7d20e9d0b2a008c91d5003ea66e387ec916d76b1148f379a70bcefe2087f314f2cd5de3bf52a9ebc

Download Submit
C:\Program Files (x86)\what_you_say\be_youself\zapuskalka.bat

Filesize
4KB

MD5
9983a83daef7c15b8ba8c1cb55851c01

SHA1
c6ef65ee941815890756fd58a9bc2e3a42fb125c

SHA256
e7d1e0fe248652015b6eb2b4caa18441ee0a98204c3c12585f99e2e2b428455c

SHA512
10cdfbd0fad305d1b8c82d8902c81ab9363f9fbd7b001fe96448772247c9c32a9ff0961b0336e64cd71eab45a6443d4dd67634dd8d018fd29bf80e3d7a02675f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6ab0366c27f08185c0d4375c02596855

SHA1
f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

SHA256
489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

SHA512
3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

Download Submit

Analysis

Sharing