bc264cefdd71f824c7617fe22d7010c3c83eddc5df054f4620c04d337a87452f

Analysis

max time kernel
2s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-BABE.exe
Size

149KB
MD5

ce2c59183c953db0a928dd2b35617782
SHA1

57a06ae1bf3e53eb433370e153d59e955673d3ce
SHA256

a9c84d69a5b984ad536e841e7862be252607c6e58fbc08865dff980309013125
SHA512

5668235ffd3fee5ccfa70afc0b11a0fe0ce5290015ea6478ca3c67d88563e1fb935d43ff1ec1a22cf657eb2e75b55aec623bf949c8473fa4271ff573a5cb3a96
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi5KoCWyekax:AbXE9OiTGfhEClq9+o2e5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\lit.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\bautmyside.txt	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\infocars.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\inown\aboutmyside\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4156	4416	GOLAYA-BABE.exe	44
PID 4416 wrote to memory of 4156	4416	GOLAYA-BABE.exe	44
PID 4416 wrote to memory of 4156	4416	GOLAYA-BABE.exe	44

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat" "
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\infocars.vbs"
    3⤵
    PID:5036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs"
  2⤵
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs

Filesize
818B

MD5
302a03c9ba9820a52adf3b5ee5462421

SHA1
68143e5c8c9f915f6191fc4c6f38220498ca0042

SHA256
3ce49b9d89a945c16926ff75af1330051204878644b45dc2c4e0cb883ffae176

SHA512
12b4c2c936f535b53b5198e9222fe2ac69aae6d53ea35cc8200f7044c8d77a5f4793faea4e0d84544fe60fc942c4b0f62981a15390d8049ec4d939ce92ce0cc0

Download Submit
C:\Program Files (x86)\inown\aboutmyside\infocars.vbs

Filesize
334B

MD5
4dac2c8699edc17fbb7036ca3ec636b6

SHA1
e8a316283f5ad515a4163395442556aa41c929c7

SHA256
6e0b74f4db571a5acb966ee1dd836c61b723a59ccc31aeff28e678068b43fbdf

SHA512
4f0dc350e1e465ec609ff44e3618a57e16af6f7221072965afd70c00fe778831b869677cfc321c3bcd411885946ed486b88b5efca68729ad6bb0e0ba32932a10

Download Submit
C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat

Filesize
3KB

MD5
9fc77ce2b3812122bc9a0bd79e4e91c4

SHA1
dd6141af0796835d3e1ac5da73d0c4bfcc98f2a7

SHA256
105764a33c276aa8bba1b6f5e5d766f5555be9d76514333c1a0f7091c2a51fe5

SHA512
00724ebf25c8750410038a773050937abadd26fa52d04802bbecbb7297056677cb958cb33154d667bfc56e01fa8770147c31b1e2fa97cce967a2c365a5ea22ce

Download Submit
C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
memory/4416-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download