Overview

overview

8

Static

static

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    112s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    237KB

  • MD5

    ba2bf7358006651b7f089cf5dd96cd32

  • SHA1

    939048fee823c35f23c22aed5dceca97a8be0c85

  • SHA256

    21f6371b68404f168d5861e5fde1170eda93d81d86a86cc765bcd30d732b78bc

  • SHA512

    c715e72a63150192bbb8a70302512540d7ada89bc08ee50bf7e40eb8d25664d63ac7c3fc9d5dbc145d062e729a06dafe8e67649f0095f426ac8b4ea3156101f3

  • SSDEEP

    3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0h5Y2AGeSw+Cgw5CKHS:JbXE9OiTGfhEClq9AY2AGeGJJUS

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4248
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4888
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\poddddkod_dap\novay\1.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs
    Filesize

    594B

    MD5

    45f214b0559ba1bdadec2beebe20f608

    SHA1

    902da8f35a5c6c9af3f94f4d9df77576d04638a8

    SHA256

    09239da81b4484446aa5059786078132f1933dc6e013171b12f23117602bdf04

    SHA512

    081a636ecf62e3b4412a51dbf82a829612b4209538444d31e0f4572207d04262930c3f0ff3abbde4ad6811c354cf97866201b51d18c9b6809e23b68bdabbcd25

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp
    Filesize

    61B

    MD5

    f646791f751efff33b23461174826845

    SHA1

    0bbcec47b55640be32ffab3a093883a401ba7764

    SHA256

    3c5492e6bbc49833d6252b53540140e0af85c8529c98ea2ab62df7646767aec6

    SHA512

    b4da3f099be3bade7c3c6757993a55af0a66329f8d4ab132386130f69413c71867a4454ce02627023c417fa443d76c990a1999bd0d4f301de04af7603a4fdf60

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat
    Filesize

    1KB

    MD5

    49948124563c73e095c5c54f00e03b96

    SHA1

    779cfbe4b5a74af0049fb0d5eb55e756b2f78127

    SHA256

    56b00d7528b54a7a9604ff3a8a20ec7a5336e783fc7ae6625374e4304406b518

    SHA512

    7d4e4ece566f760b41c256a0b82d393a14f849e41119a1b84417b7255685b70f72149fae4d43ad101557a201f7b8482f524392f53c0d7f2fb15af8ab5aae2f09

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui
    Filesize

    249B

    MD5

    f2af09717b1aa23eccb54c15d645a18f

    SHA1

    c2f81426f45e73c9367d7be8473ad27acc3a58e4

    SHA256

    83ee369a5ab57b016c08919541455bb5e6f17fc27f76a2f70ca5359b8fa7eced

    SHA512

    fceb7d777c866c71a85f6b68f9863791a49eab59a1eb277338df293fa0d6f11af1d94bee6c876f62d8b7872eb06428cdd14b01135a16ab9260d2fbbd24270338

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs
    Filesize

    249B

    MD5

    f2af09717b1aa23eccb54c15d645a18f

    SHA1

    c2f81426f45e73c9367d7be8473ad27acc3a58e4

    SHA256

    83ee369a5ab57b016c08919541455bb5e6f17fc27f76a2f70ca5359b8fa7eced

    SHA512

    fceb7d777c866c71a85f6b68f9863791a49eab59a1eb277338df293fa0d6f11af1d94bee6c876f62d8b7872eb06428cdd14b01135a16ab9260d2fbbd24270338

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    776b152fc7b16cdb6f03b535016b30d7

    SHA1

    535c5c292c16acda59325c59c1327dfe39499334

    SHA256

    802d784cf685137a021b5a2c86d32e755ddde8212de5d320f1c4cd97feff735b

    SHA512

    fbcd9e8283b69170bdee143111a26e22778bf792b5bb0e00db524b087008b23a2fdca3c772b3cb1631914772e91699cffe7a45023e717c204f30e99f67759090

    Download Submit

  • memory/4248-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4664-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4888-136-0x0000000000000000-mapping.dmp

    Download