db3407c42600c656420f0d1bc63fe7887030b2e407da6983374e1a6bf9ce1c94

General

Target

GOLAYA-DEVOCHKA.exe
Size

151KB
MD5

393261517b0efcf54d316cc541c9f590
SHA1

a3db81c8fe7ad5803e9f6f1f6457cfac823984f4
SHA256

db81ced9847834936d34d84c7183b75ec8da668e79750b3fbf7308de2ec3fa73
SHA512

0f2c104a420d3d10486d72af1cc83a1e5ccc02842788e7e3b71713538eed46390e506932dba86ea6602f4f0a4d319864e8c19a83e69a2eff7e4337f954edad46
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiV57zMcab/haOY8SYasTp:AbXE9OiTGfhEClq9Fn4AtYrN

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	3852	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GOLAYA-DEVOCHKA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\edem_vklubas_detka.wow	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\y.vbs	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\ti_chto_gonish.vbs	GOLAYA-DEVOCHKA.exe
File created	C:\Program Files (x86)\vinogradari\malshifg\Uninstall.ini	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\podtirauuuu.zopu.ico	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\milissa_enrike_els.bat	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\visel_drug_iz_parasi.sral	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\skazi_ese_raz_etu_frazu.nu	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\vinogradari\malshifg\Uninstall.exe	GOLAYA-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	GOLAYA-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4348	2736	GOLAYA-DEVOCHKA.exe	83
PID 2736 wrote to memory of 4348	2736	GOLAYA-DEVOCHKA.exe	83
PID 2736 wrote to memory of 4348	2736	GOLAYA-DEVOCHKA.exe	83
PID 4348 wrote to memory of 3852	4348	cmd.exe	85
PID 4348 wrote to memory of 3852	4348	cmd.exe	85
PID 4348 wrote to memory of 3852	4348	cmd.exe	85
PID 2736 wrote to memory of 4984	2736	GOLAYA-DEVOCHKA.exe	86
PID 2736 wrote to memory of 4984	2736	GOLAYA-DEVOCHKA.exe	86
PID 2736 wrote to memory of 4984	2736	GOLAYA-DEVOCHKA.exe	86

C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\vinogradari\malshifg\milissa_enrike_els.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\vinogradari\malshifg\ti_chto_gonish.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\vinogradari\malshifg\y.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\vinogradari\malshifg\edem_vklubas_detka.wow

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\vinogradari\malshifg\milissa_enrike_els.bat

Filesize
3KB

MD5
24255a08ed0b0b3ae2b1bd6fb379a0af

SHA1
a8152431d1985044ad091e7f5710489074e0596f

SHA256
9a60462462d43bf8e9bae373bb1af850c452211c0855a32e95b65686c1544585

SHA512
ccd8de94cb88894161efd67756bc1446915d98e7835f46615e684bd9c2e7a570d71ab7f645e8660d6933364aefc225a435c792ede0f85e5bf5333e3919c4d09f

Download Submit
C:\Program Files (x86)\vinogradari\malshifg\ti_chto_gonish.vbs

Filesize
338B

MD5
b9996574f0e69fc87d9f8132e872de0a

SHA1
3587d7a5006428edbc9518d7a426905c994f5581

SHA256
5cd906abebbfe784a79b99f5090c9c5a73388d534ea9368098eb81a7e591271b

SHA512
41fd792901d89e3c56d4e717fe39242dc27bd4cd683ac0a3c843bb0695120239d311100d690b3c181654c77e050a8a59fea2ce419003cc6a51168d27b66b4409

Download Submit
C:\Program Files (x86)\vinogradari\malshifg\visel_drug_iz_parasi.sral

Filesize
64B

MD5
7f9a130179676d2bc80a23eeaf093202

SHA1
4beb8fbeb033b046a8d5b16b4476ba5c901265ec

SHA256
03b6404bf6cc46f9876640cc6a9ead19eeb180f5a08b4ca0a0a23cd2b29e75de

SHA512
887aa610394a02cc88629c9b95f6a0d7a23a0e4529406de6973010a9320461778b6c066e2636cdc112a7fbc46a646b019e2c588c5082d20182324d35bb4ed230

Download Submit
C:\Program Files (x86)\vinogradari\malshifg\y.vbs

Filesize
979B

MD5
856d260db7c59097504444d43f7d09f1

SHA1
538b5cd124ebf863eec74659defab3f08918f2cf

SHA256
8b113f0645af40d2ab08f0b36f37fc527d475149524364a1d052ff368bc01be2

SHA512
72cf6dcf3c22ae1b703d095869123b0f77fd8afe754237c250f0b9074947994a6f13a3aad11ebc6d8965b482dfac78bc24c0c06ceca93637cbab78992809c81f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
22cf8376bd7251da68d1ac0c6231e294

SHA1
d8388e49907f5a80b2be219665a7fe2607204bc4

SHA256
18bf7cfa28c572d4c2be927596d30c4e9c82e0a695963c1f7209eb5c6b119592

SHA512
541c1589234965c5a64e6ed7fdb332b5a065cc1e2d555928a51aec14aaf57793844fc63724a1878bd1abba8bb641d6879a5311454616cdbf7509e85dcd52e446

Download Submit
memory/3852-136-0x0000000000000000-mapping.dmp

Download
memory/4348-132-0x0000000000000000-mapping.dmp

Download
memory/4984-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing