Analysis
-
max time kernel
88s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 17:57
Static task
static1
Behavioral task
behavioral1
Sample
GOLAYA-PHOTO.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
GOLAYA-PHOTO.exe
Resource
win10v2004-20231222-en
General
-
Target
GOLAYA-PHOTO.exe
-
Size
180KB
-
MD5
956e2b490c56f641e1ec22001a6c8390
-
SHA1
4cc154694540b69f848c6508996c964981f1c6dc
-
SHA256
4b6a3c6b886086fbe58630f2742813b2fe79bf89b047551ddd9560a5f40839e8
-
SHA512
03c3b0e411f5f77f4164e1070884bb60b7a8e7948f142c2ddf574aac6178643522f8ab2ec221e8dd6dd243ff98129e6a9f8446a4dbec92dbe01c7da67c6714d0
-
SSDEEP
3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hR4udk4RjbC5:WbXE9OiTGfhEClq9Xuvjb4
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 13 3900 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation GOLAYA-PHOTO.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno GOLAYA-PHOTO.exe File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat GOLAYA-PHOTO.exe File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs GOLAYA-PHOTO.exe File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs GOLAYA-PHOTO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings GOLAYA-PHOTO.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3596 wrote to memory of 3128 3596 GOLAYA-PHOTO.exe 34 PID 3596 wrote to memory of 3128 3596 GOLAYA-PHOTO.exe 34 PID 3596 wrote to memory of 3128 3596 GOLAYA-PHOTO.exe 34 PID 3596 wrote to memory of 2244 3596 GOLAYA-PHOTO.exe 32 PID 3596 wrote to memory of 2244 3596 GOLAYA-PHOTO.exe 32 PID 3596 wrote to memory of 2244 3596 GOLAYA-PHOTO.exe 32 PID 3596 wrote to memory of 3900 3596 GOLAYA-PHOTO.exe 31 PID 3596 wrote to memory of 3900 3596 GOLAYA-PHOTO.exe 31 PID 3596 wrote to memory of 3900 3596 GOLAYA-PHOTO.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"2⤵
- Blocklisted process makes network request
PID:3900
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"2⤵
- Drops file in Drivers directory
PID:2244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "2⤵
- Drops file in Drivers directory
PID:3128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d200449456e89d07109236616ff90ab2
SHA12557563adba8b21fcd7428b317f8e3eb9f808adc
SHA2565efb8eafec044705fbe2a79da14865729d797bc4645f2809dbd228d113478a06
SHA5120ba9e99c7f619dc24bc788cc1d969e92157086c468cd0f1530e409fe8a72f277d9f6676ef619f9cef0416afc82770b74339607c2c4732d4af7b4d9e3dbf61569
-
Filesize
1KB
MD5ec6d78d4582009dd3a0e15be0ac2b26b
SHA15679b4f61576b66a32c81e5444c0d3e25d087ee8
SHA256df0a1c447c933b615aa8a73fc26fb947270c353594e88ed2a956eb8c79426dcb
SHA5128b08e49a1bea88dfb028cd29d407cc1c6933931bcb16fc03b9a59df71dac25fda4e111dd0f40016cd60ebb3a6da69a781db65689dec58249f7484e6a65afd32e
-
Filesize
33B
MD5ded96240bcebce6519cd28de7f5517ad
SHA18852fb21ed0fa817d9344c7a9552d84c656f0bf5
SHA256e5c66dd5e75abf1c2319939027d755b86c49eb152e63343d16820f5caa17cc5e
SHA51238ef39f2be82fce6b4604786b1e759ffc7a82a7468342d1b5f273b83a29392b4d430fca8672650802bc056e759d7dcce2457758c77698f5bc1f61c8eefe8193a
-
Filesize
689B
MD51c84e9db3372ae0fcea66e005106843a
SHA16d237997c02dc890f2f8e20381e96f18e3b0291d
SHA256e36505831d46395477eb8dfcb58879894c4d99f33fed69d2501cbab0098ea60f
SHA5126f5122c9a9f9722b1ee800fa62e93dd6fc6d9a2212e97a1bf16746bdc80ff00190937a61cca06dd0eebcee78540fc2855b99d51e90e2fcc4eb3d293008c1fd3b
-
Filesize
1KB
MD584779ed3e471bc778b21f8336472a995
SHA1bb3af6290d525a9a350027679cc246fd1414528c
SHA256509016e31d4f493e5f3725f52eb0b421290cba66634cd53c9e69d7fd87f71657
SHA512fc93c1063815e7966df069dd220174df5976a037cda58d90017b4dffcf90645686eb8b89211a195bf1e057ae17a67018d7e01e58d2500b661f5f8bef1a7c6ae9