Overview

overview

8

Static

static

GOLAYA-DEVOCHKA.exe

windows7-x64

8

GOLAYA-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    185s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-DEVOCHKA.exe

  • Size

    181KB

  • MD5

    3f0da76b4c682e86aeb9a8a425eaa903

  • SHA1

    650b36332381beac233426a3fb4bfeaca92a1296

  • SHA256

    ffa647bd5ec34f2f982bd2695abf1be734d323b66617c9e7f8bdaed49832ec6e

  • SHA512

    29010590d712e329c322430340c3cd28c88d7242fefebe0f404c04f7eb703351b27c5faf01771259bb768c1ed7d14cf1730f626a372754d6579b91656bdc4c92

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hD+iG+v5y1rF0t8:PbXE9OiTGfhEClq9iktFb

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\OnmywaytoHamburg.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:1424
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\all.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops file in Drivers directory
      PID:2112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\OnmywaytoHamburg.bat
    Filesize

    2KB

    MD5

    e6ce59fc09fb37a14a4b5bcb98a2d00a

    SHA1

    6e8e5c6ec64da35518e07a666f8f9858432b9f84

    SHA256

    ea57c2bb10592cba9f9877c3c741f0933c31a85de4a418d4b4cc2d5bf4905ca2

    SHA512

    41676efb4b433930a6effcd6f99c15aced803811c6899103bf07c4dbda8ca006326eeabb90a4cdc0c2f4bf595c9a220f6f247a558bf3cc4e8ad52689156d977f

    Download Submit

  • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\all.vbs
    Filesize

    941B

    MD5

    b87e3291e10fd8337b087bd76a0d68a4

    SHA1

    b30e43fae44d514b499f29d3529b562e202cc757

    SHA256

    626eeda02026f6c26938326bf94cb969371ae144dc01403da8bde5f64ffac169

    SHA512

    2e491b155eabbc02b8bc860ad7deb64fc9421a573114e56d640680384638ac76d5d89c71d92ad1209aa920d7522812e0af895bb5d7dc1caa9246adb73d62b1d8

    Download Submit

  • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\planningandinforma.tion
    Filesize

    74B

    MD5

    e4de17733467b756874acd58408f91ce

    SHA1

    d565a19054a630b4e1c770c6448df88c97273642

    SHA256

    7e7fad021ec3258e61252983d4fb6da573233d4c94f146079ee545b65965456b

    SHA512

    7daa8a5b65d9c905f214cbe1f824e3408b5ca42302f1b534f54d0f0ecc5235a44e41b729a7e3283b93ac886831c809bbb8d989685e12a30c211577d9cb182d12

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    c103de0bdd559496de273a00bd9b6806

    SHA1

    7da2e899d8d1c6110495602364375fb800012e21

    SHA256

    9351acf3b7ab24de41196bef296b951acb91338c428a4da92f3885ecdd19c1f0

    SHA512

    6548f7499649c5fd6324379f348e4e5a9df1b0cd103609d3453c901e4d10e70ebc182cef131a75dd53cc73a15ebfe1e36cde4005e488879900d552da5511eb19

    Download Submit