1ac297877e6c05725bc74116d34dae5711a8f0edba29b3fc44c14f570c749742

General

Target

GOLAYA-PHOTO.exe
Size

174KB
MD5

940ea74edf627c19f88627fc5da79fb9
SHA1

cf4c85022398b7833fcd96b639043dabfca6bc0b
SHA256

0d5428b43606d785e233906a461c345a3c233ec35e4aba381f91df5c935a99bb
SHA512

7e6e7e0d379e316cd7efa0e931d3e0b409994cd49b52c43b3d211c9cb2a5db3610824db76e8f4d3ee9fbf65710e60e1e7ba20a32e46d525cdef205b078501960
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0hAeFFq4jMY1ZfRfVv0Rw:3bXE9OiTGfhEClq95YN9se

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1732	WScript.exe
5	1732	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\chetireh_sten\temni\Uninstall.ini	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\zakolot_telku.nah.ico	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\mnogo_telok_i_nada_vseh_ebat.ffak	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\chetireh_sten\temni\Uninstall.exe	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1808	1368	GOLAYA-PHOTO.exe	27
PID 1368 wrote to memory of 1808	1368	GOLAYA-PHOTO.exe	27
PID 1368 wrote to memory of 1808	1368	GOLAYA-PHOTO.exe	27
PID 1368 wrote to memory of 1808	1368	GOLAYA-PHOTO.exe	27
PID 1808 wrote to memory of 1732	1808	cmd.exe	29
PID 1808 wrote to memory of 1732	1808	cmd.exe	29
PID 1808 wrote to memory of 1732	1808	cmd.exe	29
PID 1808 wrote to memory of 1732	1808	cmd.exe	29
PID 1368 wrote to memory of 820	1368	GOLAYA-PHOTO.exe	30
PID 1368 wrote to memory of 820	1368	GOLAYA-PHOTO.exe	30
PID 1368 wrote to memory of 820	1368	GOLAYA-PHOTO.exe	30
PID 1368 wrote to memory of 820	1368	GOLAYA-PHOTO.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs

Filesize
338B

MD5
2f1d6f3f5153ce3aad2872a7ce15e175

SHA1
888db003c30dc27493785b680e16d4146439b077

SHA256
44424775ca96d3be8ce71787b8ad465676efbf78e6d193924211b9f582479fb4

SHA512
43f07305867eb0b014b66d8bca507612658de59aeb899b8233060464bfeb021a976ee429a43536209ffe8967145850dcdae2c19d75264bf0d5f46bf552d90f0c

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs

Filesize
937B

MD5
1d5a1d40e59daa42ff39f23869a11c5d

SHA1
5203361779058184483fbd042e03bfe595be5472

SHA256
bf9ecf8fd901fb5bc1534bcfd6583173a36a3f138fc536d3b90d83326cc913a4

SHA512
e11d5f8defe97fecb8ead7b6677d12af3f52af09957519e02ac615ea6ec8001cbcf43820376c9c9ca19a3f02ecd77a631b0a991179ebb00cac641664d606979b

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet

Filesize
49B

MD5
7ba1030d49a83d4eb3d60a37ded2e5e4

SHA1
f208c23fca59b8eead4747756bb1d1201e8c7812

SHA256
6030878e2523aff5cd6554a5c94c559293b0ec9fa8744f6169e29896c1362101

SHA512
4442e9585518d12263beed4758b1d07e48bfb959fd6cffe32b31dae2f5f6570e6d627172721046decb4a2c20514ee0d282721f5c31f07cd10320d41db6fbff60

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat

Filesize
4KB

MD5
37b90833161da621de8f1cbb4aa38b1f

SHA1
89003cb0a1083e8445f9291c425fabc43ed537d9

SHA256
c408be33c1c302af0c2bbb627dccbe52a2855a79cbf821a1f6bff7e94e0c9410

SHA512
ef42ba8b0a39e6ec006e03bd10945fba7175f1943e03d6d397ef546599bdbabfbcfb880b56c4c1bd441233a4d4328b70eedcf604fb08c0d0fd0a2898fa8b92a0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1064c483d3c5ea2bad9e228588d8c0ff

SHA1
4dba4163a55289c098cebf4e9b1c086b164bb02e

SHA256
494ca7f617f176dd5cb8c4cec40c880d1d9478e3b5b1855c8a53fc236c3102e0

SHA512
6d426289e218ed9f11148e85552e34cc7299f548c2cb5e800744d0bdc1f40618a8f1df41b317364dfa1b3aa6c81ea99e9a8b6e7426840ae5913d5c84674ed0ce

Download Submit
memory/1368-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing