Overview

overview

8

Static

static

GOLAYA-TOPLESS.exe

windows7-x64

8

GOLAYA-TOPLESS.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    57s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-TOPLESS.exe

  • Size

    237KB

  • MD5

    5c94059adb47691be3bd70b628224d42

  • SHA1

    2173a63636142956ac0f2032caf3c327f27dd4cc

  • SHA256

    5159ded8a0a546ebbed689e870873c7cea047be40d6311cc475d3ca5cedfcd52

  • SHA512

    dd9178ee54765bf7c002889ff700516b77c5297e446f284a2f36768325cd5dd531878d1c07fe013024e92c001f9450fb349b26b0608426dda12a7d9f62f74701

  • SSDEEP

    3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0h5Y2AGeS/+Cgw5CKHS:JbXE9OiTGfhEClq9AY2AGe/JJUS

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:920
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\poddddkod_dap\novay\1.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\boiii_ffffpo.vbs
    Filesize

    597B

    MD5

    14b7a456d0f0e6687042375f36291c2a

    SHA1

    3d88d8475406fa2d004f9588524b289d3359f795

    SHA256

    0f4a15ce097fd7c24d13837b181d2e222a1ff5574fbcc8bac890047186d8725d

    SHA512

    41fec515cd4cbebaedb97a5eecea24b5bb00feae30c5e1c7ea01000afec2626cdd63c3197def7d68dba591cc4efb30fa7b203f46483738d969eaca961beda031

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\dooolina_op.ppp
    Filesize

    65B

    MD5

    7cb8698f0d38b859c2162d8d4012e91e

    SHA1

    0936d45df25ae05a6a47404ebfa04f10758b158f

    SHA256

    b9f7186bbcb607a8f0870abc34c4900ed94e94593dba0b4446dd65b516d21545

    SHA512

    5e14a31aeedf67a4cb95ec88d5f79498e4e101a9ca7f1a032c762a674214f20c98fd9427471a5541464efd2a53618257ceea2426ac7a6a0f76c728d3597f805b

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\looopodokopo.bat
    Filesize

    1KB

    MD5

    dfe49fa05ee03d982c71a69f2407b2cb

    SHA1

    a76fe7187f26d05e2e3b153aad4e181baf0a65da

    SHA256

    2fdcf51105495fbca8ee4e73f446622feedde33851ed2cb6eb891577c78fff92

    SHA512

    a8b1be902a469959be4ab84866beb868363eaef5a7ccb7d3cdf1dae10a9574e55960e1813430902043c8900f5e4026d710a1610eceeff40ec4dc5b30e4fc943e

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.oui
    Filesize

    255B

    MD5

    bdc969e3d207e323222b4b5e5f0728ae

    SHA1

    5150df263f3a05a7ffa853bf0a6b2f9b8bbd6d79

    SHA256

    0cb7945b915222abe5886b7d2036ee76bc7093f51fc18b795f1c600837bd5f5d

    SHA512

    d97f7a7f96e14ca2b0940cbd8007a9a23dc54f8d6fca512b7ce713f8aa97c0d471c351a33ae7027ccd2ec308ff4ef6f2c14171774faacac8af170cb55fc75ee6

    Download Submit

  • C:\Program Files (x86)\poddddkod_dap\novay\slonopotamus.vbs
    Filesize

    255B

    MD5

    bdc969e3d207e323222b4b5e5f0728ae

    SHA1

    5150df263f3a05a7ffa853bf0a6b2f9b8bbd6d79

    SHA256

    0cb7945b915222abe5886b7d2036ee76bc7093f51fc18b795f1c600837bd5f5d

    SHA512

    d97f7a7f96e14ca2b0940cbd8007a9a23dc54f8d6fca512b7ce713f8aa97c0d471c351a33ae7027ccd2ec308ff4ef6f2c14171774faacac8af170cb55fc75ee6

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    776b152fc7b16cdb6f03b535016b30d7

    SHA1

    535c5c292c16acda59325c59c1327dfe39499334

    SHA256

    802d784cf685137a021b5a2c86d32e755ddde8212de5d320f1c4cd97feff735b

    SHA512

    fbcd9e8283b69170bdee143111a26e22778bf792b5bb0e00db524b087008b23a2fdca3c772b3cb1631914772e91699cffe7a45023e717c204f30e99f67759090

    Download Submit

  • memory/668-61-0x0000000000000000-mapping.dmp

    Download

  • memory/920-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1232-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

    Filesize

    8KB

    Download