Overview

overview

8

Static

static

PHOTO-GOLAYA.exe

windows7-x64

8

PHOTO-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 17:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    237KB

  • MD5

    a58d8465f840e1fcad4d41d738877384

  • SHA1

    9f4111ccada5d50048488955a35f27eccb2fd503

  • SHA256

    7946f8a23ac41d420ba85a4e71c108f586cec3b2e8b8a3448f5e4d19404d785f

  • SHA512

    8f30fd6128490effb87ca8831843eb7bc1b3a6e31fe0a989b35c1005d050e1b487124aebf21ffa38d2adceb48dfc7dc28835b5ff463a05f0db8c96a77ad5b405

  • SSDEEP

    3072:DBAp5XhKpN4eOyVTGfhEClj8jTk+0hT6IPEaG562E3nV9uVSUO2I+Cgw5CKHq:ubXE9OiTGfhEClq9gTuRJJUq

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\zaryadku\proebal\routerpoi.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\zaryadku\proebal\slonik.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:3704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\zaryadku\proebal\happenewyear.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:3636

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\zaryadku\proebal\1.txt
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Program Files (x86)\zaryadku\proebal\happenewyear.vbs
          Filesize

          598B

          MD5

          534f3a8eaed70bd537098c1bb127dcd8

          SHA1

          66be8ac47602b67c051d3692500cc24a6807c5b8

          SHA256

          1b4edd294a3175156b5c8372267d55995a38a0c243c2a3376306b26da1f81b3b

          SHA512

          0d0142db36343d391a0aaa44f844c7c95d78cd9ea6477336f5812c9b9d539f4210fc90e81aa7e286c3fb28a18926dd6e8361cd81a51feae9a03c82f41186f961

          Download Submit

        • C:\Program Files (x86)\zaryadku\proebal\pizdets.poezdets
          Filesize

          65B

          MD5

          7cb8698f0d38b859c2162d8d4012e91e

          SHA1

          0936d45df25ae05a6a47404ebfa04f10758b158f

          SHA256

          b9f7186bbcb607a8f0870abc34c4900ed94e94593dba0b4446dd65b516d21545

          SHA512

          5e14a31aeedf67a4cb95ec88d5f79498e4e101a9ca7f1a032c762a674214f20c98fd9427471a5541464efd2a53618257ceea2426ac7a6a0f76c728d3597f805b

          Download Submit

        • C:\Program Files (x86)\zaryadku\proebal\routerpoi.bat
          Filesize

          1KB

          MD5

          62f4367de042103d398e9f82f81015db

          SHA1

          f6bf66b78ff904c30136a64dc79297310b2629fd

          SHA256

          70844e73c9bf914349bab174f8ac7e7270db9cc129f5cc41f41e005d747eb015

          SHA512

          21643331bb15d53e76e3d6a871651c1a72c0909111155d701338612dc334d9e2cfbc01a779e3a0d283af7c54a5c3ab0143ed9ccbf9f6658de7bc822d31e444a1

          Download Submit

        • C:\Program Files (x86)\zaryadku\proebal\slonik.konchaet
          Filesize

          261B

          MD5

          2220c2ba3ab6dd671cfbc80fb66e8989

          SHA1

          c2698ec660cff13e102676af7e8426a44b68efe7

          SHA256

          4ff356480adae2f8e3e8e1ab665c2fb0b23c6c964d20c65edfb220ceb984f31e

          SHA512

          4b660fe9082965eaa0a2e5150cf9e6fca8bbd356af9d4cb09deda878a513f2074161e7b0f36a469a8293b985794f4c21afaff196ac4c80b83911b65c801a100c

          Download Submit

        • C:\Program Files (x86)\zaryadku\proebal\slonik.vbs
          Filesize

          261B

          MD5

          2220c2ba3ab6dd671cfbc80fb66e8989

          SHA1

          c2698ec660cff13e102676af7e8426a44b68efe7

          SHA256

          4ff356480adae2f8e3e8e1ab665c2fb0b23c6c964d20c65edfb220ceb984f31e

          SHA512

          4b660fe9082965eaa0a2e5150cf9e6fca8bbd356af9d4cb09deda878a513f2074161e7b0f36a469a8293b985794f4c21afaff196ac4c80b83911b65c801a100c

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          776b152fc7b16cdb6f03b535016b30d7

          SHA1

          535c5c292c16acda59325c59c1327dfe39499334

          SHA256

          802d784cf685137a021b5a2c86d32e755ddde8212de5d320f1c4cd97feff735b

          SHA512

          fbcd9e8283b69170bdee143111a26e22778bf792b5bb0e00db524b087008b23a2fdca3c772b3cb1631914772e91699cffe7a45023e717c204f30e99f67759090

          Download Submit