24d872abc09076b63538a4d3c527b7c182d62b20796e44c8c4e51fadd2a7bb16

General

Target

GOLAYA-BABE.exe
Size

175KB
MD5

0855848b51a95094ec1d6e3435afcdcd
SHA1

c45137d62376862cea69c82257a54206be800fe4
SHA256

028ff5e38ed5512c3a00e337df2326c8e3ec6515e8fee5886c0fb5152e98e99a
SHA512

68403b0ae29a7c04dc30f8a8338b4dced5d76e3c2c56b3093d7888c9c87e788d9a2b3fc72b9724504d26eb4ef8eb79629c2bfae9043d67d559ae4f53e23050fa
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0hAeFCZeTcP/TGx2Usg:3bXE9OiTGfhEClq9z0c/TsJ

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4624	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\solnisko_moe_vstavai_laskovi_i_takoi_krasivi.lol	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tselovatsa v gubi stali\a potom\tom_ebet_vseh_bab.ololo	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	GOLAYA-BABE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 4404	720	GOLAYA-BABE.exe	82
PID 720 wrote to memory of 4404	720	GOLAYA-BABE.exe	82
PID 720 wrote to memory of 4404	720	GOLAYA-BABE.exe	82
PID 4404 wrote to memory of 4624	4404	cmd.exe	84
PID 4404 wrote to memory of 4624	4404	cmd.exe	84
PID 4404 wrote to memory of 4624	4404	cmd.exe	84
PID 720 wrote to memory of 4488	720	GOLAYA-BABE.exe	85
PID 720 wrote to memory of 4488	720	GOLAYA-BABE.exe	85
PID 720 wrote to memory of 4488	720	GOLAYA-BABE.exe	85

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs

Filesize
1020B

MD5
35d299d67fb06d20585643cc8e056d4c

SHA1
a4969af9abe91097dfdf0f7cbdffa8376df45d75

SHA256
071265cd46eec908605f4b76607e7d7e9a8630a479df4370235020b81d9027f0

SHA512
6b90cf7c3e8b0aeb012eea37600b9aa63f01e1b46b669edd52513303da2fd5b8b8ee587fb9b2feda6fcbdb1a7c620157d6b7eb97ce7c3e546fc22e4a678ff314

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei

Filesize
55B

MD5
1b0a037fa298b3e72d55e89ec99a2b28

SHA1
39063c23bc34adc8e15586cb71a82593b3318b79

SHA256
487d15c089bb55c99402af085659b01c378eb0260974dfb65d9a5e10f89d76f3

SHA512
2e5100c944ccff3a4410a9e7a4bf3a124ae22ec5b2ba830fcd72146e3002c718e27f99b83fa9cb8c0872755eed2ed85b1abc00a681f11427f0c75191b376123f

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat

Filesize
3KB

MD5
eaa197ff3d3346d52ad41a1628d9df49

SHA1
ed9ff3a6a657bd8d6a0545ef1095f8d4f7940c0b

SHA256
2d70625bdbc0c3a46eb68fc6fb990ec33b2daee4da32af0aa29c9a1684edd4b6

SHA512
577b8b360a84cc88163504cdc36b9a757a2e2fb6a5b6882a03624bfee352d1bdd25ae0c0771bb18e8a1b954514ac2812248b799f0d8af703726f89dbdc34f8ba

Download Submit
C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs

Filesize
299B

MD5
bad1c489cdaade54ddfd06264be54654

SHA1
8e24b3a6c2ae362f39ca52b5ffeabe9c77eb7340

SHA256
5b5847848267668ef1418ebfb39970c3c0b1df44affdcaecc98b1bba200085f0

SHA512
fe8ee5522f48cf05e989b0ba962a5ca00f72220186275fd31f4572fc84ec77d34739abbc9e28b71a1845e5b945fa589cd06200d5ff01574ec23a9d21c89e17e7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
22cf8376bd7251da68d1ac0c6231e294

SHA1
d8388e49907f5a80b2be219665a7fe2607204bc4

SHA256
18bf7cfa28c572d4c2be927596d30c4e9c82e0a695963c1f7209eb5c6b119592

SHA512
541c1589234965c5a64e6ed7fdb332b5a065cc1e2d555928a51aec14aaf57793844fc63724a1878bd1abba8bb641d6879a5311454616cdbf7509e85dcd52e446

Download Submit

Analysis

Sharing