Overview

overview

8

Static

static

GOLAYA-TOPLESS.exe

windows7-x64

8

GOLAYA-TOPLESS.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    100s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 05:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-TOPLESS.exe

  • Size

    239KB

  • MD5

    b9bafa06fc9e0a881cb060fb6278ad5a

  • SHA1

    32e1be697efb7005f411fecbdfa52c45fa0f9802

  • SHA256

    0fd52b648762cfe5cd96ece16b1c93cbdb013b305c2eafdff91a5faea4564050

  • SHA512

    3146072672987752ea5cca17b14dd0c12443fa4fceeb75547b2b12786cefc9354d4606ff4fb63fb43718664ee7e2dd2742935eab055e774e25316380575f1db0

  • SSDEEP

    3072:FBAp5XhKpN4eOyVTGfhEClj8jTk+0hH8lQTxo+0YDciRSB+Cgw5CKHG:gbXE9OiTGfhEClq9a0YrSYJJUG

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\eeebat.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:4596
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\all68767.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\zozopark.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:1268

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\all68767.vbs
          Filesize

          664B

          MD5

          eb0001b6d2e3fd263f9a5109bb1663c2

          SHA1

          d6bd6ea56c0d4c3cdcedeceb37d29d7d6e9da9d0

          SHA256

          28b3d89fd48a1695fe3f6ab8f6fdd4104c271294d687f113371a041afc166551

          SHA512

          3588793bd6f4929ac02a48e5fece89e608c7ba3ac2cef886a3d8a8910aa27f9a929b3e2bb73693264de2bf8f875e82c35cae5cf581e6829f19b0b8242d4b6c39

          Download Submit

        • C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\eeebat.bat
          Filesize

          1KB

          MD5

          b4ed1445d3cab760c3fc1ac50ac0a98c

          SHA1

          f43a0c17630d46ce027f469a61805b9b5934ccaa

          SHA256

          2737aaee8f37002c0d21528b1cf2ac23ed5e286a0293789a3cddb9255e948f01

          SHA512

          817c159cd65bab9d4fd7178cf4317bfbbdb8bfdf4886793700fe441976788c1e430e1446b5c40f894d0dfb9e85f3d5f780d858fc81e9fd0a21c765638f8e24d7

          Download Submit

        • C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\industrialgasturbines.and
          Filesize

          111B

          MD5

          af69593dae6c79efe1059f06f9dd1643

          SHA1

          c7e6db17362d51305d7f0ca56ad765bdf7527e2d

          SHA256

          f965f03496bff27cdcb01416f0e96d4191c12cbc2cc5843e917e40996b2fa84f

          SHA512

          30c7f734c5a3e28eb276ad6ecbee6979efa84f2a5638f8948e6a4f895ca38142cc290068edef9c7ccd17af44a126eaa88f7c8588e51aa677c4b44673ae229376

          Download Submit

        • C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\zozopark.nlk
          Filesize

          140B

          MD5

          03f21852b55b938686cdac71efad04e7

          SHA1

          83506df0e2a045a30a266bd13093a1f69df94a67

          SHA256

          eec83f98c877261d9496a2064ae3ea1ccb350bfe35c887689c481221cad77eae

          SHA512

          042acaa4d98100855a22d0b6c31e99ed907d70b2de84dae6e58934d22f889ac43272a09dab9b8e65e2410ef51098f3b0f5b43984c9a07b24c9b63a5ddc5385da

          Download Submit

        • C:\Program Files (x86)\diesel and natural gas\Manufacturer of construction\zozopark.vbs
          Filesize

          140B

          MD5

          03f21852b55b938686cdac71efad04e7

          SHA1

          83506df0e2a045a30a266bd13093a1f69df94a67

          SHA256

          eec83f98c877261d9496a2064ae3ea1ccb350bfe35c887689c481221cad77eae

          SHA512

          042acaa4d98100855a22d0b6c31e99ed907d70b2de84dae6e58934d22f889ac43272a09dab9b8e65e2410ef51098f3b0f5b43984c9a07b24c9b63a5ddc5385da

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          71d56c63c666019eab63fa6f1cf94f2c

          SHA1

          e7d92bc7d1d8ce3bcc51f2a0049f21ac1b4f12dc

          SHA256

          208f28ce8cbf416b8be7beffea105562fffcfdd14cdc370e4519233c46451b53

          SHA512

          6131b7d16dacf34abaae4426e5507cb5b4df2116145572d3ed2ac0e27ebade53ec0ccc058f353c2519513bf8214d1b822d0d3197fe16bc3c96467dbaa54a1768

          Download Submit