Overview

overview

8

Static

static

PHOTO-GOLAYA.exe

windows7-x64

8

PHOTO-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    57s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    174KB

  • MD5

    1ff3421e7ddfa60dcc30d18fac2913a8

  • SHA1

    d93499e78895ee7dcfb38be26e7a227cc1d45d71

  • SHA256

    d8e50905e0280d0182d1d5eb87407f405448505fcae27353e0e8ff74f9bbf545

  • SHA512

    bf068d5e20409f83b32f7b0497fd213f1f26a2bc7c61f1ca2f1b3449449b24427ad3effa842234ce70703912c2d09bdbbd622652167169991460369d38d4c806

  • SSDEEP

    3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0hAeFVq4jMY1R2VE0A9WdDzi0jlp2l:3bXE9OiTGfhEClq9ZY2Vmex6

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\chetireh_sten\temni\litsa_rot.vbs
    Filesize

    331B

    MD5

    9fb9fa8b1eba7579ab59c35c55c4381a

    SHA1

    68f72d042b70aff1b1f2b3cad791c0237c5ff372

    SHA256

    42f3fa8e95d4e4040407020bd72219aed19fdd7517f9d1aab0bad1d1a80364d0

    SHA512

    f5f1f42e7bcef749a02b441659454f55d3d360fa8ea9fef5a4991691b02f5253a9c17a87e9da07db6f5d8d403824d42222da8a4dd025c563d44e42e2a49c6af2

    Download Submit

  • C:\Program Files (x86)\chetireh_sten\temni\otosri_malenkuu_kakasku.vbs
    Filesize

    1002B

    MD5

    587b6535dbafe432757dda5cc75037ed

    SHA1

    aac3f1ba914317b81a18f9d7fc9286fd61024b22

    SHA256

    53914090a33c0297333f7b74089cf20c161b054ddeef08c01307a9f809d54c1f

    SHA512

    944e71fb14f875007377f1aacc55df9667cd5668744f5feb036f579ebfda786e20cc295df21fa6c49738445a8f9cec09dcfaa2a0d36d08c34534a831b5d2d5ad

    Download Submit

  • C:\Program Files (x86)\chetireh_sten\temni\tom_iz_kieva.zzet
    Filesize

    59B

    MD5

    3e6372db557177e9ca76c4f471cf130c

    SHA1

    3e851ddf47bebe13f3495525bae5997efacd422c

    SHA256

    6b93cb0efdc95ac559151fb9102454da1cd5627f7ec2f9f30134089ebdc232b0

    SHA512

    642ddb68f154bef58c054cadba7f654ff702a1949fce2233ae226add187ccfe21052f59b56caa69fa1a078707564bd7e24ecca8796396557364a15abf0bfdeb1

    Download Submit

  • C:\Program Files (x86)\chetireh_sten\temni\ya_budu_pet_o_tebe.hla
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\chetireh_sten\temni\zalipalochkun.bat
    Filesize

    4KB

    MD5

    8c4ab3cd1af662f75273749f14d29a2f

    SHA1

    92966676820b011c316d63830fd01dce4123ab96

    SHA256

    3bbb56e6019bd19df88fd1f50b617e34cc0d9df000496fd66b14fbdb71574c95

    SHA512

    0a56c157abb0187eba251145d017c5c4fe508dd3ff43ff3ee0b7857406437f9bb5ceee55c16b0fb01c44cfc93a55556c54e082fd8d6bc0d414a1e99cc69ed9b7

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    1064c483d3c5ea2bad9e228588d8c0ff

    SHA1

    4dba4163a55289c098cebf4e9b1c086b164bb02e

    SHA256

    494ca7f617f176dd5cb8c4cec40c880d1d9478e3b5b1855c8a53fc236c3102e0

    SHA512

    6d426289e218ed9f11148e85552e34cc7299f548c2cb5e800744d0bdc1f40618a8f1df41b317364dfa1b3aa6c81ea99e9a8b6e7426840ae5913d5c84674ed0ce

    Download Submit

  • memory/1656-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1732-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1940-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-55-0x0000000000000000-mapping.dmp

    Download