58d679c7ebd167d597e2fbaca28045181d04e4c88116e4a7d91472af3592163f

General

Target

GOLAYA-TOPLESS.exe
Size

237KB
MD5

e61bd730e06e58b62b401ec80fee428e
SHA1

46833a190b51364c9e965c06e52e6b04445265cc
SHA256

32c82a37972dafc4b423b117c5dfbff89cb2a6e35badecab68119e1d0ab48c7a
SHA512

b41181d0cbf9223b40a161072e13b03d25b90889adc23e603fd9212e6b654c51e8314e4319cb9b16e9580037ea5d24d571d8f499464c0e9f431cb9acdbbdac62
SSDEEP

3072:tBAp5XhKpN4eOyVTGfhEClj8jTk+0hGrGivgXrC2S7yfH84zsEn/iOjt7hM8Wjzd:obXE9OiTGfhEClq9bweKRZLoJJUG

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	2460	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	GOLAYA-TOPLESS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\dooolina_op.ppp	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\Uninstall.exe	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\Uninstall.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\Uninstall.ini	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs	cmd.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\1.txt	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.oui	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\1.txt	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.oui	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs	cmd.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\dooolina_op.ppp	GOLAYA-TOPLESS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	GOLAYA-TOPLESS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3684	1560	GOLAYA-TOPLESS.exe	81
PID 1560 wrote to memory of 3684	1560	GOLAYA-TOPLESS.exe	81
PID 1560 wrote to memory of 3684	1560	GOLAYA-TOPLESS.exe	81
PID 3684 wrote to memory of 2460	3684	cmd.exe	83
PID 3684 wrote to memory of 2460	3684	cmd.exe	83
PID 3684 wrote to memory of 2460	3684	cmd.exe	83
PID 1560 wrote to memory of 4972	1560	GOLAYA-TOPLESS.exe	84
PID 1560 wrote to memory of 4972	1560	GOLAYA-TOPLESS.exe	84
PID 1560 wrote to memory of 4972	1560	GOLAYA-TOPLESS.exe	84

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\poddddkody_dap\novaya\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs

Filesize
574B

MD5
dd2d2e5b20365df4239d2a39ad2e4e6f

SHA1
ce1e1625a34340feef885f576055688c6d35de08

SHA256
d12067fde5906b541028d6fe43ccbb72e617ab0ef383efe8198c1dd2d82ecb60

SHA512
a750cbf19dd558838b499247551457bbaf02378bc7d7624a614dd1ba3c0d6d0ce6a0b52f827ce26684f8f64d1e8230109ce0a6cd370abb9c6980860efaf1e109

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\dooolina_op.ppp

Filesize
51B

MD5
49abe10db22821407754c0864fd6167d

SHA1
52cecc3070034bc3f0c193aaafbe2655355e4295

SHA256
bd00230b5cbf7586b3781b47985c7cb98bd0d6984b1993dad81db28f885959d3

SHA512
0dcc60053ac878fbf531cc67f5959d16abce03c36a8a50a53385bdda79cef116bab32c9fa57f102252da045ab5b92f10d182126a9f1effe9b0757ce6930bd1ca

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat

Filesize
1KB

MD5
6d0c88956089ac1294ba0f84abfcf93e

SHA1
5c7d83487bf06ab592b3d8bb232be3801ee5ec0b

SHA256
7d07d9ec0ebd2e8470a4c0b23b83dc4e1474ed45df634a9b14e5253cd6c694ff

SHA512
5fb6743ca2770c3503490220a51d3085d1a41020d858f06b172a7f7d6978aca11b31d84e84bf76e43da29ecfca9c9de31f5260dd96624a7536af0e6b2f31f653

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.oui

Filesize
255B

MD5
0eb87cb29302476c631ce380a7e77a36

SHA1
5ed750b8c668bde83daf91adc9976b1d4f9bd993

SHA256
02e0519dcdc7d3d41a3360802f83f229530e6062c630fb9a457c318d30ad4d68

SHA512
4358066f9ee82e003220f4d3984fae1a54310fcf7184874325da4f07a264e472994caf8b203ab59fbda4059eb321fba6fb2b07c274fa99db2e9fb0e391c77aa2

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs

Filesize
255B

MD5
0eb87cb29302476c631ce380a7e77a36

SHA1
5ed750b8c668bde83daf91adc9976b1d4f9bd993

SHA256
02e0519dcdc7d3d41a3360802f83f229530e6062c630fb9a457c318d30ad4d68

SHA512
4358066f9ee82e003220f4d3984fae1a54310fcf7184874325da4f07a264e472994caf8b203ab59fbda4059eb321fba6fb2b07c274fa99db2e9fb0e391c77aa2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
96482b57d86df40e4b2c2527dd434049

SHA1
7889de80125578107721c9040a02320b20493665

SHA256
9009e6249d0d5bb535ad6a089b0bf58cd8392780607cdc977200bfd4d4d86d10

SHA512
d3aa63756032cf2abb119ec0142aab17bda1f0810e83356c1ef8bdc2f5da7f9d5e28a67e919bb01c73cc154db569efb865a4d819f1ebb6de4e8f25ed7d06acb8

Download Submit

Analysis

Sharing