Overview

overview

8

Static

static

GOLAYA-TOPLESS.exe

windows7-x64

8

GOLAYA-TOPLESS.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    57s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 22:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-TOPLESS.exe

  • Size

    168KB

  • MD5

    54c4351d7d81153d206f89847baa8ea4

  • SHA1

    66f14de067d4678bf779161ed193128673cc2860

  • SHA256

    575fd65cf0c52c513f2f0f00730d41458bbd88ab1e47684eb1e5929406cc147b

  • SHA512

    77e4097245910dbcb0cf9a76dacc28a07889f16196396b989ad4fc87adeaf75dccfe229f58f2e686231663ea67381497e0f2d14c827d0760b2a94f119edd509a

  • SSDEEP

    3072:EBAp5XhKpN4eOyVTGfhEClj8jTk+0ht0IjkgnafZWvqKoWYDc1kFF50:TbXE9OiTGfhEClq9W0IgVZWoDgkF8

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\timoikowboi\ponyal ya\gunghoonCialismight.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:932
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\timoikowboi\ponyal ya\shotguns.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\timoikowboi\ponyal ya\frustratsia.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:556
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\timoikowboi\ponyal ya\subarunew2013forester.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:516

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\timoikowboi\ponyal ya\ViagraVs.Cialis
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Program Files (x86)\timoikowboi\ponyal ya\frustratsia.vbs
          Filesize

          984B

          MD5

          11f0bb9afa071f7a4a55add6e64303e6

          SHA1

          577f5ce382173328395b064bd6ce71aecff4d43d

          SHA256

          49c105efcb82bd7608a863e2e5cd988336e745e02dddfcccd6f031b61f5d3f08

          SHA512

          6b860a5d8830e7032b738715779e0c61e92261cbd38f5e508a0fe2c09294b22d2bbe1ec1ff039ac637e41a245a352dea3966dec76102f541c5de241bd8c05e9c

          Download Submit

        • C:\Program Files (x86)\timoikowboi\ponyal ya\fundamentalhuman.being
          Filesize

          89B

          MD5

          9048ff7989f10e4ab6fa14040a922e34

          SHA1

          639c796ef2c0b19f3079ff31cea3bb14ef7c6302

          SHA256

          d20950f16dbba7046c1054aa6ac078c586641327c7db52bd0ced0765cac6748b

          SHA512

          07003b06edad5bb6d85fb91020dde7d2010bad536bcbde4384610a279924c205966973f9da839456a41183898f91abe2016310ee69c9e17a54f95313cb482670

          Download Submit

        • C:\Program Files (x86)\timoikowboi\ponyal ya\gunghoonCialismight.bat
          Filesize

          3KB

          MD5

          4679b0b57914a37c0d23919a2e1aa5a8

          SHA1

          2ae35f9525644dffe93ffe60091bc19411561249

          SHA256

          39189a7a10d65f9cc890fea458813f9cb157b64912ff4d1f2bc5f49cc76c9ba2

          SHA512

          d12a11e36dbc93b39c8d4b62d26fd9f998ab8deddf15343cdd3c72f0c5e6cce39ff3510556847122d5c2e233e8ef83f1c09efce416eeb254f1aaf562d130e7dd

          Download Submit

        • C:\Program Files (x86)\timoikowboi\ponyal ya\shotguns.bat
          Filesize

          83B

          MD5

          5857acd8b06f97269082d3e6fd16d5a3

          SHA1

          5f231e8bc2a1ac2ae294522cf5e916e935d54095

          SHA256

          73ae03d67383407d38de6cf82864cf90a147d124cf7e5a8b6cbd9a7cf4d6fb3c

          SHA512

          6265cb065ef8c9f45efeee825c8ecc1a5a3eeee52ebc6cae492f2bf2e7a88c241697c4432b2bdbaa9c57a8b5ffda3c78e4f3f72dc5c5005e98574521720d2383

          Download Submit

        • C:\Program Files (x86)\timoikowboi\ponyal ya\subarunew2013forester.vbs
          Filesize

          444B

          MD5

          9b20b23a9dcfe6c07f29b295e334ebe3

          SHA1

          a88bca6350ad1be2159520276c0cdf7418e2634a

          SHA256

          47a68b44e2ad53cedc07a790ff36fd0283f77da6306748ae9eb7ccf1b1df4b31

          SHA512

          65da85bb7a095ff2a2f2f1a4170e7f0b6c578c5c4b00eb67c06feec00e9637a2dfd640fef1677ce8b8401c048b4a0e6c5e1915329b0bd61758f823643bb7dd5d

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          c39f1e442aa7dadd7808962cba03dfc2

          SHA1

          c4a8ae5f92f800d80e33003c3078723cb7e828ee

          SHA256

          e2a57c4619e1948323024b2e270b85c4fa99ab238fb902ff013eaca4e130c164

          SHA512

          5f67444e1d7e1ea872aeeabd2e2a943ef9f4c4cbfb264b022ad3d8b39d65394ce12849d114f1108f5d3e8a61755a1e9910649ec1b10c3a8b5571a8766ee2afb3

          Download Submit

        • memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

          Filesize

          8KB

          Download