Overview

overview

8

Static

static

3

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    149KB

  • MD5

    082651eefe9806f50fb938f393148d45

  • SHA1

    61817d9547cbfc0490511c8599261b62adbc61fa

  • SHA256

    dd854c4d604f2add306b0e004097c9fb897b4107f02407d4b521abbc22919bbd

  • SHA512

    3c8cd68bd19fb0fbb40ed1a5f53d7f83f152c4aced62e137bd7771303da26a4e74ce2648958909f2f92506ea2508665d7139a11b0568740104df87b68bcaf994

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiIvh5iBZ:AbXE9OiTGfhEClq9SE

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:2560
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\salst\ogurets\all3.vbs
    Filesize

    299B

    MD5

    399aafbff20b97ae2c6119061d41cbd0

    SHA1

    3056f90e2696e9564c9a3419cc7a7c03ef14b429

    SHA256

    898eebf1486b8d382f0001cec8604b4711d21e3015334bd5a49f60d39ebdc1fe

    SHA512

    85627296a59270aa783bf64d55d2560d9ee18eaa9de88deae4b8170581bd18450f53bfbbd9bdb6ec3a99ac8a06545252a1b10a13fa3584bb75dae4f917ed1606

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs
    Filesize

    744B

    MD5

    2b3d8e8acf083e55fdbaa04a313e082c

    SHA1

    d472ce8d0786478cc1f5bb1b8d9ba9085fc3ade3

    SHA256

    f75b5d1d65c4668e1c9833d7ef4dcd04013d7f1e52f80b579011cf12ba6f0846

    SHA512

    055609e1ac6e2824f5d02082e4da0995c7c1757543003cd5aa134adbf344c4c52d6d5361c909c9163dd017bc5fe6f52a5c47dc235ae77df31da8dc1bdd5a6085

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\podkati.bat
    Filesize

    3KB

    MD5

    32476fdee702c96f10c2bf839d4999ea

    SHA1

    6eba74027756760c7a3b22957efc215fbf9871e5

    SHA256

    78a635131e9f79f01185e120ecd29fb09260b56b678fccd3b23245fac2b673d3

    SHA512

    a5b73557a2293aff4b3d0e5a2f185af54abdda68ea40b5f167271da91e32f199af06bc60a6d6da4faeef960bf9844b538788745bf4c5a590807081cb6f280234

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\polenolll.pof
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\stuckja.jol
    Filesize

    51B

    MD5

    2f3e6a7cead939112e164924c1f10781

    SHA1

    33cd402d053f7597c1b825892929295e6834c35c

    SHA256

    9e32bfeb04a302900d18c7dbed95d648b766741a387001a1ef6ce32276c73136

    SHA512

    9005e318a904b7880f43e568230fd38e5a75d20f30f48b25058dad74b17d94d02bde1dbf9ee0bb931e8748f05087ab8b2116e4c00de3d134abb330bc07044ff2

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    44ccd2e0f82c735fbef30c341d6bfc10

    SHA1

    8cc305f7f8fff401380175ae0cc7d0df99b83373

    SHA256

    d29b19381fbf3494195232c63a36e6a9d38de4e2db3e80ae3f007a36e9674db3

    SHA512

    8627b9c13415f5d9c917692281f2a33aa4286f0a50b0d08933ca663cd6cc12fb17256a2270ff283dd497661001b6c06f3d16e889215821659fa24ede367dfe07

    Download Submit

  • memory/2040-72-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download