bc264cefdd71f824c7617fe22d7010c3c83eddc5df054f4620c04d337a87452f

General

Target

GOLAYA-BABE.exe
Size

149KB
MD5

ce2c59183c953db0a928dd2b35617782
SHA1

57a06ae1bf3e53eb433370e153d59e955673d3ce
SHA256

a9c84d69a5b984ad536e841e7862be252607c6e58fbc08865dff980309013125
SHA512

5668235ffd3fee5ccfa70afc0b11a0fe0ce5290015ea6478ca3c67d88563e1fb935d43ff1ec1a22cf657eb2e75b55aec623bf949c8473fa4271ff573a5cb3a96
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi5KoCWyekax:AbXE9OiTGfhEClq9+o2e5

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\bautmyside.txt	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\inown\aboutmyside\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\lit.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\infocars.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\Uninstall.exe	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2756	2532	GOLAYA-BABE.exe	20
PID 2532 wrote to memory of 2756	2532	GOLAYA-BABE.exe	20
PID 2532 wrote to memory of 2756	2532	GOLAYA-BABE.exe	20
PID 2532 wrote to memory of 2756	2532	GOLAYA-BABE.exe	20
PID 2756 wrote to memory of 2648	2756	cmd.exe	21
PID 2756 wrote to memory of 2648	2756	cmd.exe	21
PID 2756 wrote to memory of 2648	2756	cmd.exe	21
PID 2756 wrote to memory of 2648	2756	cmd.exe	21

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\infocars.vbs"
    3⤵
    PID:2648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs"
  2⤵
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs

Filesize
818B

MD5
302a03c9ba9820a52adf3b5ee5462421

SHA1
68143e5c8c9f915f6191fc4c6f38220498ca0042

SHA256
3ce49b9d89a945c16926ff75af1330051204878644b45dc2c4e0cb883ffae176

SHA512
12b4c2c936f535b53b5198e9222fe2ac69aae6d53ea35cc8200f7044c8d77a5f4793faea4e0d84544fe60fc942c4b0f62981a15390d8049ec4d939ce92ce0cc0

Download Submit
C:\Program Files (x86)\inown\aboutmyside\infocars.vbs

Filesize
334B

MD5
4dac2c8699edc17fbb7036ca3ec636b6

SHA1
e8a316283f5ad515a4163395442556aa41c929c7

SHA256
6e0b74f4db571a5acb966ee1dd836c61b723a59ccc31aeff28e678068b43fbdf

SHA512
4f0dc350e1e465ec609ff44e3618a57e16af6f7221072965afd70c00fe778831b869677cfc321c3bcd411885946ed486b88b5efca68729ad6bb0e0ba32932a10

Download Submit
C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life

Filesize
50B

MD5
2fbbd6510fe26068e7e81bbc7c185025

SHA1
804798609e017cf1aa1cdf39cc823f2758728301

SHA256
60cd1ca9ed0335145319ed37d63337ae5de58788e6eccf73e6f91d370f9d6240

SHA512
6e006158333d5f5b8f5ba46b921b52399866256a50fe14f340c5b44ee44f7bef096ca38f3afe3717272d5b731e041e4f656ad98c1c46ad26cdbed5d6c524b325

Download Submit
C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat

Filesize
3KB

MD5
9fc77ce2b3812122bc9a0bd79e4e91c4

SHA1
dd6141af0796835d3e1ac5da73d0c4bfcc98f2a7

SHA256
105764a33c276aa8bba1b6f5e5d766f5555be9d76514333c1a0f7091c2a51fe5

SHA512
00724ebf25c8750410038a773050937abadd26fa52d04802bbecbb7297056677cb958cb33154d667bfc56e01fa8770147c31b1e2fa97cce967a2c365a5ea22ce

Download Submit
C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
44ccd2e0f82c735fbef30c341d6bfc10

SHA1
8cc305f7f8fff401380175ae0cc7d0df99b83373

SHA256
d29b19381fbf3494195232c63a36e6a9d38de4e2db3e80ae3f007a36e9674db3

SHA512
8627b9c13415f5d9c917692281f2a33aa4286f0a50b0d08933ca663cd6cc12fb17256a2270ff283dd497661001b6c06f3d16e889215821659fa24ede367dfe07

Download Submit
memory/2532-71-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing