Analysis

  • max time kernel
    57s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 15:28

General

  • Target

    GOLAYA-RUSSKAYA.exe

  • Size

    174KB

  • MD5

    0d3692bc2dc24d324a86701230e9e7d3

  • SHA1

    2048aaebc94b9bb56a58bebc7af601c65fe970de

  • SHA256

    b75ac8dc3ae9db3756e0029fb5701f65975ac8b65aad8940792d6f594ad5c0f9

  • SHA512

    0c1b75d8fa73bb3822176ba1acfd41fb296faf4dd06dcf834f802d102d244b916b8c14e13d5971e7ca27078f9288ad65bc7e7abcb4f3259e2a694ec9ef41ac61

  • SSDEEP

    3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0hAeFOq4jMY19XGaUD3OSNUW4GIp8:3bXE9OiTGfhEClq9eYH/mOSNUzm

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:884
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:660

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs

          Filesize

          292B

          MD5

          6a2321e23d4dd054d34946b554e0089f

          SHA1

          e3ee94f47c153ad57f31b5c3ef8662c12921b556

          SHA256

          78fb2fc1e30cfbdc09b6802e411a175c2334fc31cc066da88224ca729c77da5a

          SHA512

          4e57f9a915396a5baab3f675c90ba78fb243221c9b667ce13205ea6f28e0da017daa25f35ce9925255e2ac954101eb5f1b430c3772cb7a9ffa28c102604f48a3

        • C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs

          Filesize

          951B

          MD5

          752135fff040c0a765d06db29d7d97c5

          SHA1

          dc53c4c6db7ae7b1f9aeadda21011fa869e288d6

          SHA256

          d3d322bf5b98bb433c1642f959ad6c36a62be625163d42562eca8221c654228c

          SHA512

          0eda583365af1d21cd876f022bc9b078f3f6f9d3eadcab1c5c7207ca1bd82a33a39b8013f9798b0e4050e70d1444c8f3cb47ae2f7d3074d96ddfb7e5646c2469

        • C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet

          Filesize

          49B

          MD5

          41c0636a7bfa64f716d005438173a546

          SHA1

          3f1145a2f5c7c58070c6affd5f114a15210a2b03

          SHA256

          fbcfadc3f973689dd3ebd8e21b60b8c867007732adb1563d012bc2a564546225

          SHA512

          8fcb01d02dab059e0546d49108958d08d59e74d157aa65fcb89468914d7d7c23d80efc8b45e73da821135fdcdf86b773fdb102abc6bf9fda339cdfd1126cc739

        • C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla

          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

        • C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat

          Filesize

          4KB

          MD5

          8c4ab3cd1af662f75273749f14d29a2f

          SHA1

          92966676820b011c316d63830fd01dce4123ab96

          SHA256

          3bbb56e6019bd19df88fd1f50b617e34cc0d9df000496fd66b14fbdb71574c95

          SHA512

          0a56c157abb0187eba251145d017c5c4fe508dd3ff43ff3ee0b7857406437f9bb5ceee55c16b0fb01c44cfc93a55556c54e082fd8d6bc0d414a1e99cc69ed9b7

        • C:\Windows\System32\drivers\etc\hosts

          Filesize

          1KB

          MD5

          1064c483d3c5ea2bad9e228588d8c0ff

          SHA1

          4dba4163a55289c098cebf4e9b1c086b164bb02e

          SHA256

          494ca7f617f176dd5cb8c4cec40c880d1d9478e3b5b1855c8a53fc236c3102e0

          SHA512

          6d426289e218ed9f11148e85552e34cc7299f548c2cb5e800744d0bdc1f40618a8f1df41b317364dfa1b3aa6c81ea99e9a8b6e7426840ae5913d5c84674ed0ce

        • memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

          Filesize

          8KB