40c1685dca2af6016b14ef2da187991fca01f50b7e15578877044eb6c99cfdd9

Analysis

max time kernel
0s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-BABE.exe
Size

239KB
MD5

fbf68a3b69a27d867baf3afa2cfe8998
SHA1

316c1c73098768b6883c2378c3eee9c01e7d41df
SHA256

4617d7f365df5e30a1152ee10d8f3589ea7bfaf885bc838b0faa7271e00c3f9b
SHA512

807a01a429d657c68aa05054469e1be21af607f91c4b0aad2e1f9780718f0964873caef059f94dd2a72ef5c77b72af5175f46cb043105abfe96ba1dc2fe5756b
SSDEEP

3072:MBAp5XhKpN4eOyVTGfhEClj8jTk+0hbe+s461efwvsOq7Mirevf0o3+2GFZB4Qy0:7bXE9OiTGfhEClq9uZJJUy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\xranilise_vsei_figni_tut.bok	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.cross	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\nu kak bi vsua hernya.fos	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\nu kak bi vsua hernya.fos	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\Uninstall.ini	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\xranilise_vsei_figni_tut.bok	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.cross	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 768	5108	GOLAYA-BABE.exe	24
PID 5108 wrote to memory of 768	5108	GOLAYA-BABE.exe	24
PID 5108 wrote to memory of 768	5108	GOLAYA-BABE.exe	24

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat" "
  2⤵
  PID:768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.vbs"
  2⤵
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.vbs

Filesize
1KB

MD5
7d1fbd7514b2f60b2313698a73980778

SHA1
921d049eac65dbe6aae1c1b6120bca7d60f11923

SHA256
4998f811a390b2ed07316dc661185c8627d6a800725399683f34bb39bd68a770

SHA512
bf9c3c3fa76834f75f846a9bc8e729931d5d32c23c5cbe5f33a7f2de0036f2b6534a7ef6a52d1eddc315df953cb6659b729b1be60ed2bbc83cd1c5304489259b

Download Submit
C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat

Filesize
1KB

MD5
c890a400d45e37b491b890433440e2ac

SHA1
0047e290124a9a15243d59f3bfc5484a5429e3ee

SHA256
ad57444bbf1a75acf0267d701fde2a05aa69d975e77f135906a2b3fef92ffecd

SHA512
8d8b7b423b746f90413a4f2389229e2b8c7c431d18bc8c3b67b9f574d828fdc63f081fb2219b9a2563b12396a9c5b33a8b734f401e661f3e944e1ccf17067e25

Download Submit
C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\xranilise_vsei_figni_tut.bok

Filesize
99B

MD5
86dc7199339e9623d9cb19240a752740

SHA1
71cb2333efd767a21c031c23bb5b7e81115aff18

SHA256
c374079002e58508af7c8de08bf7e98b72a0d11b44650dcbb89f31d15e887370

SHA512
eee63bbf12c45ba73cfb543d0069288090410e91ef484587dde79995a585ef510d295d4de19701feb5704167b3d0ba01cf0a40f00c42abf29825e1f2bf917f5d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b4434980101442bcce3e0b0f6d12d743

SHA1
1a68111eba898c9b337b1dcd8cd803e339df5335

SHA256
9e8f7c183744c28ee7e84f2804a12185b1d330e25a929dd71c1adee6f6dbfb93

SHA512
86fc9e287d669446159989e463774cba0a5105c5394231782f41fd61cb41647ab48b4d773de11e06538721c4b10900548ac328e38fbfac217927dd9f9fdf9941

Download Submit
memory/5108-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download