8e8de56bcb450c1663fd3eefa925aa105cda7dde2e977ebc70f06bb2f0d76ff3

General

Target

GOLAYA-RUSSKAYA.exe
Size

237KB
MD5

c8b229f0946dcf1aa4016639f7659209
SHA1

5758ddf0ec978fe2d363f35f8c6e4498a7dee32a
SHA256

095624b3fa461c157c12aac8aa20d720fc9a5a0d90bbce18b7cb5954d9acdaf9
SHA512

7966c1a66c6c0d2320f2760810fcda07396095dd0347f82580cabbe4c6b42e1f65deddbe6781c9a4f64a8e41123539f295613d9cd89c06991b2d117d5189c16d
SSDEEP

3072:tBAp5XhKpN4eOyVTGfhEClj8jTk+0hGrGivgXrC2S7yfH84zsEn/iOjt7hM8WjzQ:obXE9OiTGfhEClq9bweKRZLbJJUG

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2024	WScript.exe
4	2024	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.oui	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.oui	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\1.txt	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\dooolina_op.ppp	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\dooolina_op.ppp	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs	cmd.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\1.txt	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\Uninstall.exe	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\Uninstall.exe	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\Uninstall.ini	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs	GOLAYA-RUSSKAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1704	1456	GOLAYA-RUSSKAYA.exe	26
PID 1456 wrote to memory of 1704	1456	GOLAYA-RUSSKAYA.exe	26
PID 1456 wrote to memory of 1704	1456	GOLAYA-RUSSKAYA.exe	26
PID 1456 wrote to memory of 1704	1456	GOLAYA-RUSSKAYA.exe	26
PID 1704 wrote to memory of 2024	1704	cmd.exe	28
PID 1704 wrote to memory of 2024	1704	cmd.exe	28
PID 1704 wrote to memory of 2024	1704	cmd.exe	28
PID 1704 wrote to memory of 2024	1704	cmd.exe	28
PID 1456 wrote to memory of 1376	1456	GOLAYA-RUSSKAYA.exe	29
PID 1456 wrote to memory of 1376	1456	GOLAYA-RUSSKAYA.exe	29
PID 1456 wrote to memory of 1376	1456	GOLAYA-RUSSKAYA.exe	29
PID 1456 wrote to memory of 1376	1456	GOLAYA-RUSSKAYA.exe	29

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\poddddkody_dap\novaya\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\boiii_ffffpo.vbs

Filesize
605B

MD5
a98b7b9a9c17fd7d70869616beff7d27

SHA1
0d9002dc4da8627503f60158cc61d914e4aa9005

SHA256
24e620c4c4696b209f085017e58932fd969a20a2e3a6505daf9d02560c753070

SHA512
b2a37e74dceab7e4118bbb62dc9b490b9a4dc6a3de0c8ac89df4081dffae6f134a339a05fa19159ae3513516615015aee1605a7b684c15c4c85220b958c926cd

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\dooolina_op.ppp

Filesize
115B

MD5
790b2bff4097f17c4ea3578abc4c5018

SHA1
56f38199904fca0d34c80faf2f0056586b2357f7

SHA256
3be50fa7f71f37a5fa98fdc5d2a651309b12b75cde49a7b537160c9d944167e7

SHA512
4493184f56f40bc0e3508689b5f28f70b765d3f5b1047d075f95a48f317137188f3fc48a99c0a004d25cc35dcd500299b200cac89b1b12dcbdfae88d5c57e305

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\looopodokopo.bat

Filesize
1KB

MD5
80cd988ea463a6f90f8c748b29ef7be1

SHA1
0215d8bc36d25800bd8fbde4b0c90ba3cadcbe92

SHA256
4719d8aeb2c207b6945f8106b6782dec747c437f3a554bc88dc325c0ef032ac2

SHA512
1391e22f0b407f109dc50c9f06d205dc9759e7694f7ab12b21a4c63fa546187694cd84479477048325540f51a92c99bc973886f969f3bf13e3bad1bf2f500bd8

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.oui

Filesize
246B

MD5
f3b23459b92771ed5195866bae814669

SHA1
f8867723faf9cea996226c9c4f446ffa9cd372b5

SHA256
3e29a921aff4c5d94a65f4caa8614b216be65a5338d949dd4524fbb500112754

SHA512
8bd3dc3d399c6031ac28ac89d0ebd3e43200ba647e881f6d90094bf4cef8648745ac1c86345c63fd6bc9f315dd71b2367253f405d79a638a56cc7a14ab99d938

Download Submit
C:\Program Files (x86)\poddddkody_dap\novaya\slonopotamus.vbs

Filesize
246B

MD5
f3b23459b92771ed5195866bae814669

SHA1
f8867723faf9cea996226c9c4f446ffa9cd372b5

SHA256
3e29a921aff4c5d94a65f4caa8614b216be65a5338d949dd4524fbb500112754

SHA512
8bd3dc3d399c6031ac28ac89d0ebd3e43200ba647e881f6d90094bf4cef8648745ac1c86345c63fd6bc9f315dd71b2367253f405d79a638a56cc7a14ab99d938

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
96482b57d86df40e4b2c2527dd434049

SHA1
7889de80125578107721c9040a02320b20493665

SHA256
9009e6249d0d5bb535ad6a089b0bf58cd8392780607cdc977200bfd4d4d86d10

SHA512
d3aa63756032cf2abb119ec0142aab17bda1f0810e83356c1ef8bdc2f5da7f9d5e28a67e919bb01c73cc154db569efb865a4d819f1ebb6de4e8f25ed7d06acb8

Download Submit
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing