Overview

overview

8

Static

static

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    78s
  • max time network
    88s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2022 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    239KB

  • MD5

    83f4cefac5e99822b6a9620c7ad238e2

  • SHA1

    9d2f5837d278f2e4ca85501f8445befb17f35d3a

  • SHA256

    0fe2cbd52327d7e1d96bddc5745bfb9f2b550ecf449d5aba56509cea19673ab5

  • SHA512

    380f042c9fe07b031901af38a6d0fec2e0f59853db5511813726e82d11fcc2bc5878451232e49ba533f6c9e54b11ed8c32919cc94a211287caea2ac41f21bde2

  • SSDEEP

    3072:vBAp5XhKpN4eOyVTGfhEClj8jTk+0hmmaF8Zq+Cgw5CKHe:ybXE9OiTGfhEClq9tKbJJUe

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\Elephantsarelargemammals.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:988
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\LearnallyouwantedtoknowaboutAfrican.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1724
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\elephanttalk.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:1888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\Elephantsarelargemammals.bat
    Filesize

    1KB

    MD5

    4fc3fbfb08bf2b2b99cf4e5b580e929a

    SHA1

    c9d8cf7e2e636fb120209c2905baf8721a9d7c6f

    SHA256

    c9d1384b1fa73ba33741fefe790b9c92b7d3c9f3f38dca9ca74772790c7602ab

    SHA512

    b86c89c9b598e7ed53f6879cdfe3b0e55cfd4ba603fc60eb3d63337059122a20d0435e1b1c3eee8e088c2f2e9c8e116786ed7c11be9efc309955d0458e8beed3

    Download Submit

  • C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\LearnallyouwantedtoknowaboutAfrican.elephants
    Filesize

    678B

    MD5

    e8d6344994c28dbbf7fd5b58d40611fb

    SHA1

    d422f79d5182c781380e5183f6119388e972b3b0

    SHA256

    d803d9d08e7ccad1f53a992361d8e3be31fc443e9ed2cf75ea8c9b2796090444

    SHA512

    eee6b52c8854b28121b8b0b809ff1eb8492edb0689c9f4510da559bb5b2556c0c26959a6c50de6a0d55695200a9a7c7e5249cdb286c5c635ba78e4512304ccfa

    Download Submit

  • C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\LearnallyouwantedtoknowaboutAfrican.vbs
    Filesize

    678B

    MD5

    e8d6344994c28dbbf7fd5b58d40611fb

    SHA1

    d422f79d5182c781380e5183f6119388e972b3b0

    SHA256

    d803d9d08e7ccad1f53a992361d8e3be31fc443e9ed2cf75ea8c9b2796090444

    SHA512

    eee6b52c8854b28121b8b0b809ff1eb8492edb0689c9f4510da559bb5b2556c0c26959a6c50de6a0d55695200a9a7c7e5249cdb286c5c635ba78e4512304ccfa

    Download Submit

  • C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\elephanttalk.lyrics
    Filesize

    141B

    MD5

    e06efcba6541fe03359b966f7e8832d8

    SHA1

    258d08f0ff0f2c6c89e1f9cece372034886b6325

    SHA256

    a9370120acd586c8d8672b4219b5f7fdce883e2f5ec0570f13b790ed4fd269c2

    SHA512

    d3ba15430e0acd02a17ff0ed30f79cd30556fbd5a152f03e014a00e0feb9f5bc03d6c74a9ea066378f10d608d75c2fbfdc97b868eaec1532c40474f87a6470ce

    Download Submit

  • C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\elephanttalk.vbs
    Filesize

    141B

    MD5

    e06efcba6541fe03359b966f7e8832d8

    SHA1

    258d08f0ff0f2c6c89e1f9cece372034886b6325

    SHA256

    a9370120acd586c8d8672b4219b5f7fdce883e2f5ec0570f13b790ed4fd269c2

    SHA512

    d3ba15430e0acd02a17ff0ed30f79cd30556fbd5a152f03e014a00e0feb9f5bc03d6c74a9ea066378f10d608d75c2fbfdc97b868eaec1532c40474f87a6470ce

    Download Submit

  • C:\Program Files (x86)\i pomoch drudu csegda gotov\eslib iz zadnitsi sipalis dengi\ofthefamilyElephantidaeandtheorder.proboscidea
    Filesize

    146B

    MD5

    748c5d5e28cbea83ecaa228b076109a3

    SHA1

    a2f1c2edd53a3e939ab6423410a5f0bd47174748

    SHA256

    9e51f73789401f1bb492d90da712e932b82b7aa3d0312ea2ec056d7b1fbe17c3

    SHA512

    ebea3922522eab5f28ccc29e73d82bfd3985bc1ce69a1fedff05b33bec45f9e982b3843425632bceecb1443a3e6c48e4116c08b3cb8266680c721fde9342c091

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    e756b71be76cd80a2dc3ae04deb9a309

    SHA1

    7cc93e6c927aa0bd1c83e5696e6195562ed27525

    SHA256

    4751e738816cbeae753aff68419fefd0817d6969b60db28b94d3de743abc20e7

    SHA512

    8db0b9f09ad3e16c1eddc900d0c75fdf447044fdaceefc44e778bc38dc62289fd0e134dd40453f0b9911a14c423cb92c3b6ef28bc16a66cd3aaa7ddab9b3a1a5

    Download Submit

  • memory/988-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1724-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1888-65-0x0000000000000000-mapping.dmp

    Download