Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 22:55
Static task
static1
Behavioral task
behavioral1
Sample
GOLAYA-DEVOCHKA.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GOLAYA-DEVOCHKA.exe
Resource
win10v2004-20220812-en
General
-
Target
GOLAYA-DEVOCHKA.exe
-
Size
151KB
-
MD5
393261517b0efcf54d316cc541c9f590
-
SHA1
a3db81c8fe7ad5803e9f6f1f6457cfac823984f4
-
SHA256
db81ced9847834936d34d84c7183b75ec8da668e79750b3fbf7308de2ec3fa73
-
SHA512
0f2c104a420d3d10486d72af1cc83a1e5ccc02842788e7e3b71713538eed46390e506932dba86ea6602f4f0a4d319864e8c19a83e69a2eff7e4337f954edad46
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiV57zMcab/haOY8SYasTp:AbXE9OiTGfhEClq9Fn4AtYrN
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 928 WScript.exe 5 928 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\vinogradari\malshifg\milissa_enrike_els.bat GOLAYA-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\vinogradari\malshifg\visel_drug_iz_parasi.sral GOLAYA-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\vinogradari\malshifg\ti_chto_gonish.vbs GOLAYA-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\vinogradari\malshifg\Uninstall.exe GOLAYA-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\vinogradari\malshifg\podtirauuuu.zopu.ico GOLAYA-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\vinogradari\malshifg\edem_vklubas_detka.wow GOLAYA-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\vinogradari\malshifg\skazi_ese_raz_etu_frazu.nu GOLAYA-DEVOCHKA.exe File opened for modification C:\Program Files (x86)\vinogradari\malshifg\y.vbs GOLAYA-DEVOCHKA.exe File created C:\Program Files (x86)\vinogradari\malshifg\Uninstall.ini GOLAYA-DEVOCHKA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1532 wrote to memory of 1216 1532 GOLAYA-DEVOCHKA.exe 27 PID 1532 wrote to memory of 1216 1532 GOLAYA-DEVOCHKA.exe 27 PID 1532 wrote to memory of 1216 1532 GOLAYA-DEVOCHKA.exe 27 PID 1532 wrote to memory of 1216 1532 GOLAYA-DEVOCHKA.exe 27 PID 1216 wrote to memory of 928 1216 cmd.exe 29 PID 1216 wrote to memory of 928 1216 cmd.exe 29 PID 1216 wrote to memory of 928 1216 cmd.exe 29 PID 1216 wrote to memory of 928 1216 cmd.exe 29 PID 1532 wrote to memory of 1904 1532 GOLAYA-DEVOCHKA.exe 30 PID 1532 wrote to memory of 1904 1532 GOLAYA-DEVOCHKA.exe 30 PID 1532 wrote to memory of 1904 1532 GOLAYA-DEVOCHKA.exe 30 PID 1532 wrote to memory of 1904 1532 GOLAYA-DEVOCHKA.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\vinogradari\malshifg\milissa_enrike_els.bat" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\vinogradari\malshifg\ti_chto_gonish.vbs"3⤵
- Blocklisted process makes network request
PID:928
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\vinogradari\malshifg\y.vbs"2⤵
- Drops file in Drivers directory
PID:1904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
3KB
MD524255a08ed0b0b3ae2b1bd6fb379a0af
SHA1a8152431d1985044ad091e7f5710489074e0596f
SHA2569a60462462d43bf8e9bae373bb1af850c452211c0855a32e95b65686c1544585
SHA512ccd8de94cb88894161efd67756bc1446915d98e7835f46615e684bd9c2e7a570d71ab7f645e8660d6933364aefc225a435c792ede0f85e5bf5333e3919c4d09f
-
Filesize
338B
MD5b9996574f0e69fc87d9f8132e872de0a
SHA13587d7a5006428edbc9518d7a426905c994f5581
SHA2565cd906abebbfe784a79b99f5090c9c5a73388d534ea9368098eb81a7e591271b
SHA51241fd792901d89e3c56d4e717fe39242dc27bd4cd683ac0a3c843bb0695120239d311100d690b3c181654c77e050a8a59fea2ce419003cc6a51168d27b66b4409
-
Filesize
64B
MD57f9a130179676d2bc80a23eeaf093202
SHA14beb8fbeb033b046a8d5b16b4476ba5c901265ec
SHA25603b6404bf6cc46f9876640cc6a9ead19eeb180f5a08b4ca0a0a23cd2b29e75de
SHA512887aa610394a02cc88629c9b95f6a0d7a23a0e4529406de6973010a9320461778b6c066e2636cdc112a7fbc46a646b019e2c588c5082d20182324d35bb4ed230
-
Filesize
979B
MD5856d260db7c59097504444d43f7d09f1
SHA1538b5cd124ebf863eec74659defab3f08918f2cf
SHA2568b113f0645af40d2ab08f0b36f37fc527d475149524364a1d052ff368bc01be2
SHA51272cf6dcf3c22ae1b703d095869123b0f77fd8afe754237c250f0b9074947994a6f13a3aad11ebc6d8965b482dfac78bc24c0c06ceca93637cbab78992809c81f
-
Filesize
1KB
MD522cf8376bd7251da68d1ac0c6231e294
SHA1d8388e49907f5a80b2be219665a7fe2607204bc4
SHA25618bf7cfa28c572d4c2be927596d30c4e9c82e0a695963c1f7209eb5c6b119592
SHA512541c1589234965c5a64e6ed7fdb332b5a065cc1e2d555928a51aec14aaf57793844fc63724a1878bd1abba8bb641d6879a5311454616cdbf7509e85dcd52e446