0b27d9761dd03f446635126549558de439f77ff78126930251c2567a310df6d9

General

Target

GOLAYA-SEXY.exe
Size

170KB
MD5

073edfea6695c3a6aaddfc50022aeffc
SHA1

3e9692abde823bb7ffba12522912357e4b224b95
SHA256

cd7f758c95be6a86958d1ebbcdedaefbeebb6bc8e0808b612aa93676ba70f2c1
SHA512

770e8dfdb7087100c0dd49e5bf80aa7336a843757aeb71af8efd392c8c634825727fa0c474510cb867e66ba167b72b7e21df2212a094733308b6ddae97e0b022
SSDEEP

3072:gBAp5XhKpN4eOyVTGfhEClj8jTk+0h66dU7qS0F2yxLioDqZEUqfTIK8:XbXE9OiTGfhEClq9n6WqV4eioDqZEXT2

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
22	2316	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GOLAYA-SEXY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\kakiento_nmomenti.ne_trudni.v.vozd	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\Uninstall.exe	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\stulandos.dik	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\nenuzni\poqflgodjg\Uninstall.ini	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\ne_zabudu_nikogda.ico	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\blesk_glag.golo	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat	GOLAYA-SEXY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	GOLAYA-SEXY.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4232	2400	GOLAYA-SEXY.exe	81
PID 2400 wrote to memory of 4232	2400	GOLAYA-SEXY.exe	81
PID 2400 wrote to memory of 4232	2400	GOLAYA-SEXY.exe	81
PID 4232 wrote to memory of 2316	4232	cmd.exe	83
PID 4232 wrote to memory of 2316	4232	cmd.exe	83
PID 4232 wrote to memory of 2316	4232	cmd.exe	83
PID 2400 wrote to memory of 4444	2400	GOLAYA-SEXY.exe	84
PID 2400 wrote to memory of 4444	2400	GOLAYA-SEXY.exe	84
PID 2400 wrote to memory of 4444	2400	GOLAYA-SEXY.exe	84

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\nenuzni\poqflgodjg\blesk_glag.golo

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs

Filesize
902B

MD5
4df16992431cb469f8d216749a5bd235

SHA1
6bea76b258476b6e496f75fe9a681de3bfbf9ab2

SHA256
a62b30c369156fa221a18642574526fd872008bef2706f53de2d7f778e6f0312

SHA512
93ccf76112d1f81520729b4c05c7d471013a38bb715d9694545a78bfbe5dfd4da4eb873ea72aeda622acf1bbc35a221504fb2bf148aafe89bf07fc4f854c3992

Download Submit
C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat

Filesize
3KB

MD5
0e7c4e236670b2f0cb80be2c2bf376d9

SHA1
b0632a8e110988ae5c7627a050f977f1ea028916

SHA256
ba78bafa531df19ab9daea2224ae169f2bc587d8264dc4c743e59e21f0465056

SHA512
e88adf8bc261e9349a5ff1f5a291b0eb16e70ea86af6d810a7f7639fab1e764e343aba25030ea87f3a8f00247b22fde00ca415c7ec1ecc51515599b202b1d95e

Download Submit
C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs

Filesize
284B

MD5
269de726c489efa1ceade4f96619915b

SHA1
fa266c3fb476ae5c20c4bc5c91b136e2a3bd081b

SHA256
e9b3455669fd1b6694e1e6e0a0fefa949689c32f24a3b0ca5b8cf16dc9f5ce83

SHA512
a9b8122325aee5b1a3069c981b419023c0ac44fdd0d90277dd130e4fbcde97ddee9e8dcf549c319b4e9dcd9251ea3f9443649e65ebf17df49d0d21c0a2ba02f4

Download Submit
C:\Program Files (x86)\nenuzni\poqflgodjg\stulandos.dik

Filesize
66B

MD5
e1d328e04613aacfd48bfd6f39dcd435

SHA1
3a9e1567d9c5bb8add58c0cdad2d800138cdf4cc

SHA256
f3de051b3659f9d0a67d145fabee5a231b555fb6d4bc7d4915c46e30dfb1dab3

SHA512
4d84369faed2065efb850fffdbe950f50749efa26ab7d8619bfeb977cb353948d58ccadb8a54f0a2f7ac95f0d1573263027e54c4862243cd331cc440dea4c1b9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e4052dfb3eb9ed5a08c840ef4c94dae0

SHA1
a0c8e665659f19d42ac2752b54f735fafdc91178

SHA256
21dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0

SHA512
f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79

Download Submit

Analysis

Sharing