d212ecaec3c76e4f5e608fa432b7a91203508e524b1ab8fe601c9e4a0f1b00fb

General

Target

GOLAYA-RUSSKAYA.exe
Size

239KB
MD5

344c41e9c9c76f452ba8186ab4f00fc1
SHA1

0860a4a631e8a964d0fea59f43d202716a78373a
SHA256

3827960d6852577932ca51d05127924083a4f98505f59676b21a6aea45c67d6f
SHA512

9459fa424ec2a52f93993cf56cb984364c10798ef67e58d4efc868966904ac8bf42e37054c4237e1e9ecc4579a24ee9ad360a0a666ce944e0b768177f385730b
SSDEEP

3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0hMg6X2JHBM6yJMMvyR+Cgw5CKH2:+bXE9OiTGfhEClq9fgMbnMMjJJU2

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1792	WScript.exe
5	1792	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\10101010101010101010101010100101010101011010.la	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.ggg	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.ini	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\10101010101010101010101010100101010101011010.la	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.exe	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs	cmd.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.ggg	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.exe	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1164	692	GOLAYA-RUSSKAYA.exe	28
PID 692 wrote to memory of 1164	692	GOLAYA-RUSSKAYA.exe	28
PID 692 wrote to memory of 1164	692	GOLAYA-RUSSKAYA.exe	28
PID 692 wrote to memory of 1164	692	GOLAYA-RUSSKAYA.exe	28
PID 692 wrote to memory of 576	692	GOLAYA-RUSSKAYA.exe	30
PID 692 wrote to memory of 576	692	GOLAYA-RUSSKAYA.exe	30
PID 692 wrote to memory of 576	692	GOLAYA-RUSSKAYA.exe	30
PID 692 wrote to memory of 576	692	GOLAYA-RUSSKAYA.exe	30
PID 692 wrote to memory of 1792	692	GOLAYA-RUSSKAYA.exe	31
PID 692 wrote to memory of 1792	692	GOLAYA-RUSSKAYA.exe	31
PID 692 wrote to memory of 1792	692	GOLAYA-RUSSKAYA.exe	31
PID 692 wrote to memory of 1792	692	GOLAYA-RUSSKAYA.exe	31

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.ggg

Filesize
683B

MD5
e1883f4bf7e368da53d5e2225e3a1f78

SHA1
b02a87d4a7b5438357f547cabb520e4ff6581328

SHA256
0c2feec4a22d34a39ecce8d311bf1170e66a3b34b6f2ae846bc43049a44abd2f

SHA512
0576ffa3ae4e9f18d473fcc642ce75d69ba877cb488651409376231109cd8096fe8bbc7f09f7850cddb72795f76cde4b2335e40d5060f6d8f2af6f2d17064797

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\exolot_v_rot_kompot.vbs

Filesize
683B

MD5
e1883f4bf7e368da53d5e2225e3a1f78

SHA1
b02a87d4a7b5438357f547cabb520e4ff6581328

SHA256
0c2feec4a22d34a39ecce8d311bf1170e66a3b34b6f2ae846bc43049a44abd2f

SHA512
0576ffa3ae4e9f18d473fcc642ce75d69ba877cb488651409376231109cd8096fe8bbc7f09f7850cddb72795f76cde4b2335e40d5060f6d8f2af6f2d17064797

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok

Filesize
120B

MD5
5f43cc09c2448d238b467d4902a01394

SHA1
4f82c81a46d1df708493004aa8552d4df2740e57

SHA256
24dafc098a82c1b30a66d05124610097ed4673a43121744eb35e9f578955ed6f

SHA512
05b571e6c6038ded7a360c35902405dbaa81007d2b4eca612975775c14abb61c9c54d2ab3a0fe5c3c0fdddfc212673c5a80bdb69211d1020c9acf79b1603f7c3

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat

Filesize
1KB

MD5
6c58788b3088787f7626868b1bcb77e3

SHA1
849c11036d006d15ab2b47b2004c94098e30c28b

SHA256
1b07297cac8a30f9d4fc7ff5d9bf458d23ff8dd976c8e03d193c32872bf7d054

SHA512
9972ed5669e524a6791b4ef9b56fa9c68ef03248c5a20b4f50ab837aeee0869c7d4553e504b215118b942d94b3fbf9a242843fca8c6cb5baa2bece60d56ed983

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog

Filesize
793B

MD5
1575a7d9f3f847c981c8347c1515b8bd

SHA1
926e95bbb96dbdd5a81bb6a076d5071a9cd59cf5

SHA256
1e5739a31bbad29167afe32e3e064a57d47514b0df50cdd06149454bdd54b6f2

SHA512
25e9c7daa104f043bb763304ab6ce81391a9b0f39411addb387aef6703ed8dac2d35037340c9ff17dd8c50ae16e4f54da938bbc920f8c8fa367c7bd373c382b2

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs

Filesize
793B

MD5
1575a7d9f3f847c981c8347c1515b8bd

SHA1
926e95bbb96dbdd5a81bb6a076d5071a9cd59cf5

SHA256
1e5739a31bbad29167afe32e3e064a57d47514b0df50cdd06149454bdd54b6f2

SHA512
25e9c7daa104f043bb763304ab6ce81391a9b0f39411addb387aef6703ed8dac2d35037340c9ff17dd8c50ae16e4f54da938bbc920f8c8fa367c7bd373c382b2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e756b71be76cd80a2dc3ae04deb9a309

SHA1
7cc93e6c927aa0bd1c83e5696e6195562ed27525

SHA256
4751e738816cbeae753aff68419fefd0817d6969b60db28b94d3de743abc20e7

SHA512
8db0b9f09ad3e16c1eddc900d0c75fdf447044fdaceefc44e778bc38dc62289fd0e134dd40453f0b9911a14c423cb92c3b6ef28bc16a66cd3aaa7ddab9b3a1a5

Download Submit
memory/692-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing