86a2c708c5330226ccd7858df0b8898cc671656f56bef3c4b527f6b5be4eec57

General

Target

GOLAYA-TOPLESS.exe
Size

238KB
MD5

19365e803a398bbfe82d5e743f301bdc
SHA1

a15e5cef349edd8657112595c4dcfff3816ad778
SHA256

6b8f6b996f1e07af5796cbcdc8c4738678315ceb79d6ddac36bf6564739a0d69
SHA512

926df6ce8ae54a56f3a5de4e8a4b7eec3e03bd054bb73876d1de20789731d3d78ae0cbfabc11de0d1ad029d25ad4da439ab37624e8ba2432f5003f4c133d0cce
SSDEEP

3072:qBAp5XhKpN4eOyVTGfhEClj8jTk+0hF3YnLN88OQmqDqqaSCAvigOD1LBl+OppWA:5bXE9OiTGfhEClq9OebMpLFl/JJUm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	4836	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	GOLAYA-TOPLESS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\net takoi papki\slonopotam\1.txt	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\net takoi papki\slonopotam\slonopotamus.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\net takoi papki\slonopotam\hreansdva.vbs	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.day	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.day	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\net takoi papki\slonopotam\Uninstall.ini	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\net takoi papki\slonopotam\industrialgasturbines.and	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\net takoi papki\slonopotam\1.txt	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\net takoi papki\slonopotam\industrialgasturbines.and	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\net takoi papki\slonopotam\Uninstall.exe	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\net takoi papki\slonopotam\slonopotamus.bat	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\net takoi papki\slonopotam\hreansdva.vbs	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\net takoi papki\slonopotam\Uninstall.exe	GOLAYA-TOPLESS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	GOLAYA-TOPLESS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1504	3052	GOLAYA-TOPLESS.exe	81
PID 3052 wrote to memory of 1504	3052	GOLAYA-TOPLESS.exe	81
PID 3052 wrote to memory of 1504	3052	GOLAYA-TOPLESS.exe	81
PID 1504 wrote to memory of 4836	1504	cmd.exe	83
PID 1504 wrote to memory of 4836	1504	cmd.exe	83
PID 1504 wrote to memory of 4836	1504	cmd.exe	83
PID 3052 wrote to memory of 2040	3052	GOLAYA-TOPLESS.exe	84
PID 3052 wrote to memory of 2040	3052	GOLAYA-TOPLESS.exe	84
PID 3052 wrote to memory of 2040	3052	GOLAYA-TOPLESS.exe	84

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\net takoi papki\slonopotam\slonopotamus.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\net takoi papki\slonopotam\hreansdva.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\net takoi papki\slonopotam\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\net takoi papki\slonopotam\hreansdva.vbs

Filesize
703B

MD5
319f1667539576553217904f642e8c87

SHA1
d635c807ed83f4253488741235a9978198e629a8

SHA256
d5dc0c9e256f90483cbd045e1fc5550fa7a226da65725f1d6fb4dc12b6002b25

SHA512
1e633f6d1fd6cbf4e6d1a53dacd42047a8fa72da5b61f6c7be934ed71c813ac3d1cca8a045ef52e9542695e21e1f6324025b630d00d87888fd0474df2fa1b70e

Download Submit
C:\Program Files (x86)\net takoi papki\slonopotam\industrialgasturbines.and

Filesize
62B

MD5
de82684480a421adb43faa8a0f0ba90c

SHA1
1753245ba7ccb497dc2f80b50bbd77ad5ab3233f

SHA256
5c69612291a7268a23b641da68e3b481898aead68e7656ff0d40ce7a26346f9d

SHA512
83d96ba49175fb930595f0535be64408ee7b763c2234bbdd5e5c20dea86ae9b59e38b122b5a67884b8a88f6a8de4cdb8edb2901fa870841bc4f1c17ed518429c

Download Submit
C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.day

Filesize
204B

MD5
fb40466550dd194c5de642d8e11b3a84

SHA1
6a67325a0e6c8f1a438efd83598a2f6dc09b5159

SHA256
b2edad93500e3568c7c2383597f84e8734afaf31285035393c83893f377633a4

SHA512
d32bf1164a58eb641c4da3ca3c0fa69252e1bc62cb8a5e0bb97db40eef1f6eefb2b741383193865eb36913db97ff3d8edd4630d62c6761ad8204dd396af4bf9e

Download Submit
C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.vbs

Filesize
204B

MD5
fb40466550dd194c5de642d8e11b3a84

SHA1
6a67325a0e6c8f1a438efd83598a2f6dc09b5159

SHA256
b2edad93500e3568c7c2383597f84e8734afaf31285035393c83893f377633a4

SHA512
d32bf1164a58eb641c4da3ca3c0fa69252e1bc62cb8a5e0bb97db40eef1f6eefb2b741383193865eb36913db97ff3d8edd4630d62c6761ad8204dd396af4bf9e

Download Submit
C:\Program Files (x86)\net takoi papki\slonopotam\slonopotamus.bat

Filesize
1KB

MD5
971f6553ee51e88cedf6aeea296a55b5

SHA1
dca9418dfa8a343691e0e8ddab58c2149eb2cbc9

SHA256
958f782b7608606612d82778e3230d0a28b119f10a7331dfb0fb8a5de0319c9f

SHA512
89aab2dd3274658fe5c400aec2cfe68f58aeac619b3cf6d2efc4e2c152544a383260c6d23b8707602298bdc27a82fe72ca835e128a417643d995937629b0529b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
71d56c63c666019eab63fa6f1cf94f2c

SHA1
e7d92bc7d1d8ce3bcc51f2a0049f21ac1b4f12dc

SHA256
208f28ce8cbf416b8be7beffea105562fffcfdd14cdc370e4519233c46451b53

SHA512
6131b7d16dacf34abaae4426e5507cb5b4df2116145572d3ed2ac0e27ebade53ec0ccc058f353c2519513bf8214d1b822d0d3197fe16bc3c96467dbaa54a1768

Download Submit

Analysis

Sharing