Analysis

  • max time kernel
    124s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 22:55

General

  • Target

    GOLAYA-DEVOCHKA.exe

  • Size

    151KB

  • MD5

    393261517b0efcf54d316cc541c9f590

  • SHA1

    a3db81c8fe7ad5803e9f6f1f6457cfac823984f4

  • SHA256

    db81ced9847834936d34d84c7183b75ec8da668e79750b3fbf7308de2ec3fa73

  • SHA512

    0f2c104a420d3d10486d72af1cc83a1e5ccc02842788e7e3b71713538eed46390e506932dba86ea6602f4f0a4d319864e8c19a83e69a2eff7e4337f954edad46

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiV57zMcab/haOY8SYasTp:AbXE9OiTGfhEClq9Fn4AtYrN

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\vinogradari\malshifg\milissa_enrike_els.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\vinogradari\malshifg\ti_chto_gonish.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:928
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\vinogradari\malshifg\y.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\vinogradari\malshifg\edem_vklubas_detka.wow

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\vinogradari\malshifg\milissa_enrike_els.bat

    Filesize

    3KB

    MD5

    24255a08ed0b0b3ae2b1bd6fb379a0af

    SHA1

    a8152431d1985044ad091e7f5710489074e0596f

    SHA256

    9a60462462d43bf8e9bae373bb1af850c452211c0855a32e95b65686c1544585

    SHA512

    ccd8de94cb88894161efd67756bc1446915d98e7835f46615e684bd9c2e7a570d71ab7f645e8660d6933364aefc225a435c792ede0f85e5bf5333e3919c4d09f

  • C:\Program Files (x86)\vinogradari\malshifg\ti_chto_gonish.vbs

    Filesize

    338B

    MD5

    b9996574f0e69fc87d9f8132e872de0a

    SHA1

    3587d7a5006428edbc9518d7a426905c994f5581

    SHA256

    5cd906abebbfe784a79b99f5090c9c5a73388d534ea9368098eb81a7e591271b

    SHA512

    41fd792901d89e3c56d4e717fe39242dc27bd4cd683ac0a3c843bb0695120239d311100d690b3c181654c77e050a8a59fea2ce419003cc6a51168d27b66b4409

  • C:\Program Files (x86)\vinogradari\malshifg\visel_drug_iz_parasi.sral

    Filesize

    64B

    MD5

    7f9a130179676d2bc80a23eeaf093202

    SHA1

    4beb8fbeb033b046a8d5b16b4476ba5c901265ec

    SHA256

    03b6404bf6cc46f9876640cc6a9ead19eeb180f5a08b4ca0a0a23cd2b29e75de

    SHA512

    887aa610394a02cc88629c9b95f6a0d7a23a0e4529406de6973010a9320461778b6c066e2636cdc112a7fbc46a646b019e2c588c5082d20182324d35bb4ed230

  • C:\Program Files (x86)\vinogradari\malshifg\y.vbs

    Filesize

    979B

    MD5

    856d260db7c59097504444d43f7d09f1

    SHA1

    538b5cd124ebf863eec74659defab3f08918f2cf

    SHA256

    8b113f0645af40d2ab08f0b36f37fc527d475149524364a1d052ff368bc01be2

    SHA512

    72cf6dcf3c22ae1b703d095869123b0f77fd8afe754237c250f0b9074947994a6f13a3aad11ebc6d8965b482dfac78bc24c0c06ceca93637cbab78992809c81f

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    22cf8376bd7251da68d1ac0c6231e294

    SHA1

    d8388e49907f5a80b2be219665a7fe2607204bc4

    SHA256

    18bf7cfa28c572d4c2be927596d30c4e9c82e0a695963c1f7209eb5c6b119592

    SHA512

    541c1589234965c5a64e6ed7fdb332b5a065cc1e2d555928a51aec14aaf57793844fc63724a1878bd1abba8bb641d6879a5311454616cdbf7509e85dcd52e446

  • memory/928-60-0x0000000000000000-mapping.dmp

  • memory/1216-55-0x0000000000000000-mapping.dmp

  • memory/1532-54-0x0000000075771000-0x0000000075773000-memory.dmp

    Filesize

    8KB

  • memory/1904-61-0x0000000000000000-mapping.dmp