ccbe567ea06bdf8770f70c7e8deb6911778cb3f44ccb7a9d7a5f879f939a92e2

General

Target

GOLAYA-PHOTO.exe
Size

180KB
MD5

956e2b490c56f641e1ec22001a6c8390
SHA1

4cc154694540b69f848c6508996c964981f1c6dc
SHA256

4b6a3c6b886086fbe58630f2742813b2fe79bf89b047551ddd9560a5f40839e8
SHA512

03c3b0e411f5f77f4164e1070884bb60b7a8e7948f142c2ddf574aac6178643522f8ab2ec221e8dd6dd243ff98129e6a9f8446a4dbec92dbe01c7da67c6714d0
SSDEEP

3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hR4udk4RjbC5:WbXE9OiTGfhEClq9Xuvjb4

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	3900	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	GOLAYA-PHOTO.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	GOLAYA-PHOTO.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3128	3596	GOLAYA-PHOTO.exe	34
PID 3596 wrote to memory of 3128	3596	GOLAYA-PHOTO.exe	34
PID 3596 wrote to memory of 3128	3596	GOLAYA-PHOTO.exe	34
PID 3596 wrote to memory of 2244	3596	GOLAYA-PHOTO.exe	32
PID 3596 wrote to memory of 2244	3596	GOLAYA-PHOTO.exe	32
PID 3596 wrote to memory of 2244	3596	GOLAYA-PHOTO.exe	32
PID 3596 wrote to memory of 3900	3596	GOLAYA-PHOTO.exe	31
PID 3596 wrote to memory of 3900	3596	GOLAYA-PHOTO.exe	31
PID 3596 wrote to memory of 3900	3596	GOLAYA-PHOTO.exe	31

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
d200449456e89d07109236616ff90ab2

SHA1
2557563adba8b21fcd7428b317f8e3eb9f808adc

SHA256
5efb8eafec044705fbe2a79da14865729d797bc4645f2809dbd228d113478a06

SHA512
0ba9e99c7f619dc24bc788cc1d969e92157086c468cd0f1530e409fe8a72f277d9f6676ef619f9cef0416afc82770b74339607c2c4732d4af7b4d9e3dbf61569

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
1KB

MD5
ec6d78d4582009dd3a0e15be0ac2b26b

SHA1
5679b4f61576b66a32c81e5444c0d3e25d087ee8

SHA256
df0a1c447c933b615aa8a73fc26fb947270c353594e88ed2a956eb8c79426dcb

SHA512
8b08e49a1bea88dfb028cd29d407cc1c6933931bcb16fc03b9a59df71dac25fda4e111dd0f40016cd60ebb3a6da69a781db65689dec58249f7484e6a65afd32e

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

Filesize
33B

MD5
ded96240bcebce6519cd28de7f5517ad

SHA1
8852fb21ed0fa817d9344c7a9552d84c656f0bf5

SHA256
e5c66dd5e75abf1c2319939027d755b86c49eb152e63343d16820f5caa17cc5e

SHA512
38ef39f2be82fce6b4604786b1e759ffc7a82a7468342d1b5f273b83a29392b4d430fca8672650802bc056e759d7dcce2457758c77698f5bc1f61c8eefe8193a

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
689B

MD5
1c84e9db3372ae0fcea66e005106843a

SHA1
6d237997c02dc890f2f8e20381e96f18e3b0291d

SHA256
e36505831d46395477eb8dfcb58879894c4d99f33fed69d2501cbab0098ea60f

SHA512
6f5122c9a9f9722b1ee800fa62e93dd6fc6d9a2212e97a1bf16746bdc80ff00190937a61cca06dd0eebcee78540fc2855b99d51e90e2fcc4eb3d293008c1fd3b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
84779ed3e471bc778b21f8336472a995

SHA1
bb3af6290d525a9a350027679cc246fd1414528c

SHA256
509016e31d4f493e5f3725f52eb0b421290cba66634cd53c9e69d7fd87f71657

SHA512
fc93c1063815e7966df069dd220174df5976a037cda58d90017b4dffcf90645686eb8b89211a195bf1e057ae17a67018d7e01e58d2500b661f5f8bef1a7c6ae9

Download Submit
memory/3596-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing