b55549d4200df1e972eedcb1121f49d0542062906daa53d138fdcd9e8863d9f1

General

Target

GOLAYA-RUSSKAYA.exe
Size

174KB
MD5

0d3692bc2dc24d324a86701230e9e7d3
SHA1

2048aaebc94b9bb56a58bebc7af601c65fe970de
SHA256

b75ac8dc3ae9db3756e0029fb5701f65975ac8b65aad8940792d6f594ad5c0f9
SHA512

0c1b75d8fa73bb3822176ba1acfd41fb296faf4dd06dcf834f802d102d244b916b8c14e13d5971e7ca27078f9288ad65bc7e7abcb4f3259e2a694ec9ef41ac61
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0hAeFOq4jMY19XGaUD3OSNUW4GIp8:3bXE9OiTGfhEClq9eYH/mOSNUzm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	4832	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GOLAYA-RUSSKAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\Uninstall.exe	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\mnogo_telok_i_nada_vseh_ebat.ffak	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\chetireh_sten\temni\Uninstall.ini	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\zakolot_telku.nah.ico	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet	GOLAYA-RUSSKAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	GOLAYA-RUSSKAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4164	4748	GOLAYA-RUSSKAYA.exe	81
PID 4748 wrote to memory of 4164	4748	GOLAYA-RUSSKAYA.exe	81
PID 4748 wrote to memory of 4164	4748	GOLAYA-RUSSKAYA.exe	81
PID 4164 wrote to memory of 4832	4164	cmd.exe	83
PID 4164 wrote to memory of 4832	4164	cmd.exe	83
PID 4164 wrote to memory of 4832	4164	cmd.exe	83
PID 4748 wrote to memory of 4032	4748	GOLAYA-RUSSKAYA.exe	84
PID 4748 wrote to memory of 4032	4748	GOLAYA-RUSSKAYA.exe	84
PID 4748 wrote to memory of 4032	4748	GOLAYA-RUSSKAYA.exe	84

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs

Filesize
292B

MD5
6a2321e23d4dd054d34946b554e0089f

SHA1
e3ee94f47c153ad57f31b5c3ef8662c12921b556

SHA256
78fb2fc1e30cfbdc09b6802e411a175c2334fc31cc066da88224ca729c77da5a

SHA512
4e57f9a915396a5baab3f675c90ba78fb243221c9b667ce13205ea6f28e0da017daa25f35ce9925255e2ac954101eb5f1b430c3772cb7a9ffa28c102604f48a3

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs

Filesize
951B

MD5
752135fff040c0a765d06db29d7d97c5

SHA1
dc53c4c6db7ae7b1f9aeadda21011fa869e288d6

SHA256
d3d322bf5b98bb433c1642f959ad6c36a62be625163d42562eca8221c654228c

SHA512
0eda583365af1d21cd876f022bc9b078f3f6f9d3eadcab1c5c7207ca1bd82a33a39b8013f9798b0e4050e70d1444c8f3cb47ae2f7d3074d96ddfb7e5646c2469

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet

Filesize
49B

MD5
41c0636a7bfa64f716d005438173a546

SHA1
3f1145a2f5c7c58070c6affd5f114a15210a2b03

SHA256
fbcfadc3f973689dd3ebd8e21b60b8c867007732adb1563d012bc2a564546225

SHA512
8fcb01d02dab059e0546d49108958d08d59e74d157aa65fcb89468914d7d7c23d80efc8b45e73da821135fdcdf86b773fdb102abc6bf9fda339cdfd1126cc739

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat

Filesize
4KB

MD5
8c4ab3cd1af662f75273749f14d29a2f

SHA1
92966676820b011c316d63830fd01dce4123ab96

SHA256
3bbb56e6019bd19df88fd1f50b617e34cc0d9df000496fd66b14fbdb71574c95

SHA512
0a56c157abb0187eba251145d017c5c4fe508dd3ff43ff3ee0b7857406437f9bb5ceee55c16b0fb01c44cfc93a55556c54e082fd8d6bc0d414a1e99cc69ed9b7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1064c483d3c5ea2bad9e228588d8c0ff

SHA1
4dba4163a55289c098cebf4e9b1c086b164bb02e

SHA256
494ca7f617f176dd5cb8c4cec40c880d1d9478e3b5b1855c8a53fc236c3102e0

SHA512
6d426289e218ed9f11148e85552e34cc7299f548c2cb5e800744d0bdc1f40618a8f1df41b317364dfa1b3aa6c81ea99e9a8b6e7426840ae5913d5c84674ed0ce

Download Submit
memory/4032-137-0x0000000000000000-mapping.dmp

Download
memory/4164-132-0x0000000000000000-mapping.dmp

Download
memory/4832-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing