e3d202572720124b52461f26bb3d2cfed997f210fdaac4788dfbedd6fe394e27

General

Target

GOLAYA-BABE.exe
Size

167KB
MD5

ef228a906001229e469f7b61f89a0481
SHA1

d7bdedbf34f268353ef139e90455c9bfedbe5b25
SHA256

cd739c5a166fcea3510d2ab393e64da1ed3956cf19082258ec383e94b12baa52
SHA512

f191afd9e1059e4595a08ace41c65d2820ae6643a40e3c6877d6665462046cd7c8e0c3ff9a990fdad5912b663945f148787ac358c7b86d790e497a6acc2c45fa
SSDEEP

3072:mBAp5XhKpN4eOyVTGfhEClj8jTk+0hAy8nnDFysV19HWn:dbXE9OiTGfhEClq928nnDI4HWn

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
14	5116	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\i chaya\telochka\nikloka.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\numerovat.naoborot.str	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\surzik_masurzik.alo	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\nuzki.luzki	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\i chaya\telochka\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\valera.alera.valera	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\runer.bat	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3584	2556	GOLAYA-BABE.exe	83
PID 2556 wrote to memory of 3584	2556	GOLAYA-BABE.exe	83
PID 2556 wrote to memory of 3584	2556	GOLAYA-BABE.exe	83
PID 2556 wrote to memory of 1992	2556	GOLAYA-BABE.exe	85
PID 2556 wrote to memory of 1992	2556	GOLAYA-BABE.exe	85
PID 2556 wrote to memory of 1992	2556	GOLAYA-BABE.exe	85
PID 1992 wrote to memory of 4756	1992	cmd.exe	87
PID 1992 wrote to memory of 4756	1992	cmd.exe	87
PID 1992 wrote to memory of 4756	1992	cmd.exe	87
PID 1992 wrote to memory of 5116	1992	cmd.exe	88
PID 1992 wrote to memory of 5116	1992	cmd.exe	88
PID 1992 wrote to memory of 5116	1992	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\i chaya\telochka\nikloka.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\i chaya\telochka\runer.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:4756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\i chaya\telochka\nikloka.bat

Filesize
3KB

MD5
fc9bcdcc0ef6ab5f71065aaa78023eaa

SHA1
88b9ddd398aa75a42daca91a26c7538f13be5406

SHA256
b5061a9b2deebab1baa353ff19548726a187912ecd210ed6a64dc53d0c071125

SHA512
432c312fa95d1bfa503af3f5cefa05c5640eb24c6ec9f62c643d2fc4c8a98d4bccad7589df8da442c52b7e00513b13108d4d0f6fef29f5e69ab0e64d7558ffe0

Download Submit
C:\Program Files (x86)\i chaya\telochka\numerovat.naoborot.str

Filesize
73B

MD5
11ed4b7aa113addd2c198563e84aa480

SHA1
258372cbea7b75b0d93abcbea307059e0ec98dd2

SHA256
15703efd02ecbce709b6df59a984c54c5713c5b2b7f6c4e359317cce27ab7680

SHA512
958ce6fa3706f93257b150c7f2f1625f00d106d19919119fc291539c384a7025a9794875cafdf3987d3b8f9a5290e72881376425dcacd13da3422c3848be1099

Download Submit
C:\Program Files (x86)\i chaya\telochka\nuzki.luzki

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\i chaya\telochka\runer.bat

Filesize
84B

MD5
9ba3ef323fc62cd21104079ca7de3bb2

SHA1
411d830fdefb2ec5a376d0f6c3aeca3b5b14aa63

SHA256
75a26aa5af163060f735d8d8474935fff804cb52e80289e162fb2c8d6436161f

SHA512
936ef03ef32981617d865d856275cd776af108933096e55bf4a964ecbd84f690411fb2d98a1338df1702c0499f2897cd8058b87170a66bd8abee2f967e64c0c6

Download Submit
C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs

Filesize
1005B

MD5
cd7005b538dc2fd181ea5086aa61dc54

SHA1
b887ef0b7e02635db98a9083bd918cd0168e9c5c

SHA256
792d50ba5955652406ab77ccc9c7b738fc2d615a30cc540a63b1aff854469d01

SHA512
a3282c5febc68be57995d069186e2d23eecdaf7fbca4150f3114ab45f25da1b9d97a459e1ffec49988213e661b6202fb86d34e0f1833c61f8157ec370397b6dd

Download Submit
C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs

Filesize
442B

MD5
2591ebe3c655b21a4baa232e437f0d5b

SHA1
675456c2c0d393c8615a753f4bfe3faee25698a3

SHA256
de01f2469a4494eb564ccb3ab6a406e840e0bd3f3ba059959770d1b33c34753a

SHA512
ccdc5901fc5e92f5b0a187835fbf4eacd15d125fe3e5e93aa740fcc7274790cddae1164224f9b87b2ee4d10f2b35b20dec8c8752f76e5a160fdf0f791fe7a2b8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f2041b5c3c56cce2f8d8b1d8d66436dc

SHA1
65f29a8575f514bdfefada02037acbeb57619dbf

SHA256
9a06fcc7ef43b6850c770a9304712d0cab6d343851322963540d52c43d6fe638

SHA512
ffa9310ea6fb523468d2380bc4fd301bf3141779be5373be92b4ae7a8d625ed1f22ff45bdfb9cb9621ef894725530e1ca7a92b5e5c000526b3e64148c0682996

Download Submit

Analysis

Sharing