6bbfe36b0f4c83d9d5e4f454ec523dd8fd9ff691dc2e7486b902c0843bcef073

General

Target

GOLAYA-SEXY.exe
Size

180KB
MD5

956e2b490c56f641e1ec22001a6c8390
SHA1

4cc154694540b69f848c6508996c964981f1c6dc
SHA256

4b6a3c6b886086fbe58630f2742813b2fe79bf89b047551ddd9560a5f40839e8
SHA512

03c3b0e411f5f77f4164e1070884bb60b7a8e7948f142c2ddf574aac6178643522f8ab2ec221e8dd6dd243ff98129e6a9f8446a4dbec92dbe01c7da67c6714d0
SSDEEP

3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hR4udk4RjbC5:WbXE9OiTGfhEClq9Xuvjb4

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	2028	WScript.exe
9	2028	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	GOLAYA-SEXY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1372	1476	GOLAYA-SEXY.exe	27
PID 1476 wrote to memory of 1372	1476	GOLAYA-SEXY.exe	27
PID 1476 wrote to memory of 1372	1476	GOLAYA-SEXY.exe	27
PID 1476 wrote to memory of 1372	1476	GOLAYA-SEXY.exe	27
PID 1476 wrote to memory of 836	1476	GOLAYA-SEXY.exe	29
PID 1476 wrote to memory of 836	1476	GOLAYA-SEXY.exe	29
PID 1476 wrote to memory of 836	1476	GOLAYA-SEXY.exe	29
PID 1476 wrote to memory of 836	1476	GOLAYA-SEXY.exe	29
PID 1476 wrote to memory of 2028	1476	GOLAYA-SEXY.exe	30
PID 1476 wrote to memory of 2028	1476	GOLAYA-SEXY.exe	30
PID 1476 wrote to memory of 2028	1476	GOLAYA-SEXY.exe	30
PID 1476 wrote to memory of 2028	1476	GOLAYA-SEXY.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
d200449456e89d07109236616ff90ab2

SHA1
2557563adba8b21fcd7428b317f8e3eb9f808adc

SHA256
5efb8eafec044705fbe2a79da14865729d797bc4645f2809dbd228d113478a06

SHA512
0ba9e99c7f619dc24bc788cc1d969e92157086c468cd0f1530e409fe8a72f277d9f6676ef619f9cef0416afc82770b74339607c2c4732d4af7b4d9e3dbf61569

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
1KB

MD5
ec6d78d4582009dd3a0e15be0ac2b26b

SHA1
5679b4f61576b66a32c81e5444c0d3e25d087ee8

SHA256
df0a1c447c933b615aa8a73fc26fb947270c353594e88ed2a956eb8c79426dcb

SHA512
8b08e49a1bea88dfb028cd29d407cc1c6933931bcb16fc03b9a59df71dac25fda4e111dd0f40016cd60ebb3a6da69a781db65689dec58249f7484e6a65afd32e

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

Filesize
33B

MD5
ded96240bcebce6519cd28de7f5517ad

SHA1
8852fb21ed0fa817d9344c7a9552d84c656f0bf5

SHA256
e5c66dd5e75abf1c2319939027d755b86c49eb152e63343d16820f5caa17cc5e

SHA512
38ef39f2be82fce6b4604786b1e759ffc7a82a7468342d1b5f273b83a29392b4d430fca8672650802bc056e759d7dcce2457758c77698f5bc1f61c8eefe8193a

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
689B

MD5
1c84e9db3372ae0fcea66e005106843a

SHA1
6d237997c02dc890f2f8e20381e96f18e3b0291d

SHA256
e36505831d46395477eb8dfcb58879894c4d99f33fed69d2501cbab0098ea60f

SHA512
6f5122c9a9f9722b1ee800fa62e93dd6fc6d9a2212e97a1bf16746bdc80ff00190937a61cca06dd0eebcee78540fc2855b99d51e90e2fcc4eb3d293008c1fd3b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c103de0bdd559496de273a00bd9b6806

SHA1
7da2e899d8d1c6110495602364375fb800012e21

SHA256
9351acf3b7ab24de41196bef296b951acb91338c428a4da92f3885ecdd19c1f0

SHA512
6548f7499649c5fd6324379f348e4e5a9df1b0cd103609d3453c901e4d10e70ebc182cef131a75dd53cc73a15ebfe1e36cde4005e488879900d552da5511eb19

Download Submit
memory/1476-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing