Overview

overview

8

Static

static

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    112s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    151KB

  • MD5

    91208381d3537614471a8ff960c08a09

  • SHA1

    0fbe92b622d0ebdcf61027de74643ef840465a1d

  • SHA256

    88e46e90d7f0a8a8b181c4ab2383cf0c6d75ff4c0fd78a167c928fc167a03c2f

  • SHA512

    934fe4c504679545c76759b02485e0c0f28dc07d6690542b889333a91d709c891c15d5f94c9feaf8627bad23b6dcf894f68de377a87aa63deaf700a4e1e20954

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiKB8eADONIX:AbXE9OiTGfhEClq9sTaOy

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1464
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\nebo_i.utro
    Filesize

    49B

    MD5

    3e59eb386cc49b0fda41a72aad441e91

    SHA1

    0699019319d25a9ff678ffe3394b9564aff5faf7

    SHA256

    ddf04736723e8c222a98f1fbb907c586e5c13c1c60faa6dfeec9783fa848d7f3

    SHA512

    4213c1c239e1ccd9f066fb11d70958cdb132010059df94d186e9098304b6c4bc612af70502b105e5ea3ecf16a3e01089fa5957ad94f21d5e3b083f438b4e8ca5

    Download Submit

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\net_nichego.chem.vbs
    Filesize

    880B

    MD5

    6b4ed47e685ea89da13e2e47e18601bf

    SHA1

    e425f5a58ff043716b977a1506a8fb3b2bc938a9

    SHA256

    470d20f85f90dcae6ade4f9936c6245376c3157d8f7c388ce4f9c95a0d5c7a2b

    SHA512

    b37683c7128812fbc5658f18c1e14c25c44f6f0de5c15d9ac9cb91de823910b43952f5004c41339e6a18827922ee40ef7ce53ffb4cc8829c5ce0154429b2a174

    Download Submit

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\net_niogo.bat
    Filesize

    3KB

    MD5

    7df62adfd153e765df0fd99d90cd4581

    SHA1

    eb1d2dcf5e4a867627743d96fabcad52c0c575af

    SHA256

    5bf33292489a7e21ccdb5fd913903c5da90eea5b1c619bea454cd31b3720b955

    SHA512

    b77b3308c60937f9b7aecff2f8670ea7775130c9dfd457827304ba82210433a824cadf659d98691a44892e20c4f358b82d2e808b7d97f00f0b41c1a5bca2bd9a

    Download Submit

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\odni_lich_vesna.vbs
    Filesize

    341B

    MD5

    a06c00522124cb1a27039000ac83d22d

    SHA1

    36c242eb2671fcd90a63878e2be1f5e0921884c2

    SHA256

    ffa13ce370bff222b5e512163f5066e09db2115611887db424c950ca6e4799d6

    SHA512

    53d91bc4699988029ea920241a8836f202247fbbd91618e28ae38f311c11f52332a3a551591099da745778921ef795c2c62d4fefe6d5975b8679aef61584abda

    Download Submit

  • C:\Program Files (x86)\na_dva\vesna_nebo_i\serdtse_toskuet.iop
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    6ab0366c27f08185c0d4375c02596855

    SHA1

    f9ff3458ec4b5b5aa94eec1e3a212a7921b50478

    SHA256

    489480a2f0aeed456ab09a8953471d49f76c8466867e28b86c69b70335cf28ee

    SHA512

    3a24a6e43d5888e1fccfdf55378b05cd4dc73678dff0cb053d6e7c71616877fb19fd1e71c11da1da6a48d0fa64b7c28ff544bf7ab1a7f71c49858cadc7088ec4

    Download Submit

  • memory/1464-136-0x0000000000000000-mapping.dmp

    Download

  • memory/1672-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4068-132-0x0000000000000000-mapping.dmp

    Download