7ee991c3d632f17f9d505159b61ce56d9668f6a7441f060533fc6bd333e04863

General

Target

GOLAYA-PHOTO.exe
Size

151KB
MD5

b3f845ca159212f50fe671f8be7f31d5
SHA1

ae50522dce1d874cf8e34eb1304fdf915901b0c6
SHA256

8ac55857555aac7b3ef630e53efc5defb4d4b912cfc79ce3f186c123d61edce3
SHA512

57358f7ed4b4c1f2b7c307186be30382e531ef80f562b09b3532c6819b433a0efb86448b69687231488cbbac53d791f2a77493afc1f0412eeb900acb0026dd19
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hit4S1G8MIhFf:AbXE9OiTGfhEClq9nRJMIjf

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	676	WScript.exe
4	676	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\energetika_zenshin.ico	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\hoshesh.chtobi.ya.ushel	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\globalki.vbs	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\lichnost\kolombo\Uninstall.ini	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\kontrol.urv	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\squirting.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\perednyaya.stn	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\lichnost\kolombo\Uninstall.exe	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1688	2032	GOLAYA-PHOTO.exe	27
PID 2032 wrote to memory of 1688	2032	GOLAYA-PHOTO.exe	27
PID 2032 wrote to memory of 1688	2032	GOLAYA-PHOTO.exe	27
PID 2032 wrote to memory of 1688	2032	GOLAYA-PHOTO.exe	27
PID 1688 wrote to memory of 676	1688	cmd.exe	29
PID 1688 wrote to memory of 676	1688	cmd.exe	29
PID 1688 wrote to memory of 676	1688	cmd.exe	29
PID 1688 wrote to memory of 676	1688	cmd.exe	29
PID 2032 wrote to memory of 764	2032	GOLAYA-PHOTO.exe	30
PID 2032 wrote to memory of 764	2032	GOLAYA-PHOTO.exe	30
PID 2032 wrote to memory of 764	2032	GOLAYA-PHOTO.exe	30
PID 2032 wrote to memory of 764	2032	GOLAYA-PHOTO.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\lichnost\kolombo\squirting.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lichnost\kolombo\globalki.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs

Filesize
1KB

MD5
5fdceae59f7527f9c3e80e7f64faebf6

SHA1
bc8c113ac2b8c90af115ee34bd35c1e73889326d

SHA256
8ec141fa458efa9a4e9bdc68a2c17c6bda291f4d4219d4cf11a0e9ef554ab078

SHA512
0537287e768df3ce2f49c8fabc31281697a226885ecf616e6503044d33c91e9a63bca3aa03ade8978af0847b093a6086d6720a307c6885f0c07f7cfa15c3cd22

Download Submit
C:\Program Files (x86)\lichnost\kolombo\globalki.vbs

Filesize
264B

MD5
8390f814860b2ceaf35305432d6ec88d

SHA1
9f48221b57a53a6e8314b86200611c27e6a570df

SHA256
bcf32b23f121fd8b6cf94cda3fd93e4df4ca7a1371fe9db1c7a42312c660a06d

SHA512
5334855617566335506ba110c43fc55e22842fdf0902fb0318a1820fe2e7a67c373febb2ece109867dc14f46a5456efa4be45170df04ce0d40ee32b5e53ee6fa

Download Submit
C:\Program Files (x86)\lichnost\kolombo\kontrol.urv

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\lichnost\kolombo\perednyaya.stn

Filesize
89B

MD5
494e4f5c6731bce0964e578708164f6b

SHA1
d917975cd46f8ff88a80ab3b26d7b8816d108335

SHA256
0e82235c770563b94a07287009963130cde3b0642db701b7e3b5c3fac5e64a70

SHA512
d001db93eda7372d88d5fdba41ac3d84d6d2398333660af216dfc59ce0377bb5cd20e5b39ca736b2591337dffd01ed4bfc688fcaba196ed705a8eba7275359b6

Download Submit
C:\Program Files (x86)\lichnost\kolombo\squirting.bat

Filesize
3KB

MD5
4e56d42e8fd0a03825f58baa95b51e5f

SHA1
d74b2015a947668fd68d0e4156e6550a71e84e81

SHA256
ca0e1a19840485e9c846098de6f829960bd7897ad1ebbcb8d501c5834a5f4c73

SHA512
0404bc460c580b1b5735ef12ee3d7f4f0cffc43da67b5af86c3923e95bccfea661a453d02cbc9a3c98b53d005a43f65eb2113d99b8e2a086ada84dd8904d9449

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e4052dfb3eb9ed5a08c840ef4c94dae0

SHA1
a0c8e665659f19d42ac2752b54f735fafdc91178

SHA256
21dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0

SHA512
f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79

Download Submit
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing