da6adce8c66700c1354597cc44231daad5518cab1b28c64aa5ab7a2d81ff81be

General

Target

GOLAYA-BABE.exe
Size

180KB
MD5

150145e71d2d6d5dea85bad963c49939
SHA1

1f96fc6f6bc2f0d33680ff38c440e95e348edfb4
SHA256

ee36fa40e546682624e4028bb270e5282f49fdf623f36d729b8900cba823e887
SHA512

709d6f9b98269ffb6299484f1fbd9e73d307281af24430ef33d7c09a3425259a854acb74fe1e5a46bd308d0fcd293e8bd00e86b5f0c88054bd7eac0cdb861912
SSDEEP

3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0hL/eSZZvLf6CNsPrXJ8WYQKaLnS:JbXE9OiTGfhEClq90GSZZvLCCNsPrXJm

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2608	WScript.exe
5	2608	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2784	2212	GOLAYA-BABE.exe	27
PID 2212 wrote to memory of 2784	2212	GOLAYA-BABE.exe	27
PID 2212 wrote to memory of 2784	2212	GOLAYA-BABE.exe	27
PID 2212 wrote to memory of 2784	2212	GOLAYA-BABE.exe	27
PID 2212 wrote to memory of 2860	2212	GOLAYA-BABE.exe	29
PID 2212 wrote to memory of 2860	2212	GOLAYA-BABE.exe	29
PID 2212 wrote to memory of 2860	2212	GOLAYA-BABE.exe	29
PID 2212 wrote to memory of 2860	2212	GOLAYA-BABE.exe	29
PID 2212 wrote to memory of 2608	2212	GOLAYA-BABE.exe	30
PID 2212 wrote to memory of 2608	2212	GOLAYA-BABE.exe	30
PID 2212 wrote to memory of 2608	2212	GOLAYA-BABE.exe	30
PID 2212 wrote to memory of 2608	2212	GOLAYA-BABE.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
aae98a9ae5312eb4b973299b827bbaf9

SHA1
a130b54b350d8a1de5af60bdf6d1d33bf0ddc91d

SHA256
f21532fcf3ea3a977385c0ab4f2fbeb18ea4bd5bcc3c5d89480aed9ec1458211

SHA512
35114cb5616a208a4490b4bd338d0f92dbf8e0e2a487e47afdaf67729449fa049f6c262622bd7fc5e81261a1edaf00ef7667b589ab432299cd756e53ef8b4d2d

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
927B

MD5
82e4324887462808340c0713a89ed706

SHA1
8d83251e1e7d35b45fef1cd2c682f8c2bdcc967c

SHA256
a0ff7b7e8cec36e1daeba7b2e9eaa4147edad3454f95513671014d913a48eab8

SHA512
b343cbb6d3cf3f267c85c83e6f819b71f4537960f7b755c1ca1881718a389c59182cc13af415185782113e9f7b1e2bed0622e13fcf4486d1bba8995c2818f796

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
695B

MD5
2fe333096954fc280b211ebb13742872

SHA1
e1297c0562865a6112c6ded8765468058364b881

SHA256
94dcb84b3c8639a9a224ed55becaf1fd4435a270de7f18cb4a083546c1fc1bbf

SHA512
2983d9857054e52aad03013f6ea1848d7b1ca84505261a27e60107b6d575bec357369b4e9cadab049fb8bde9fc952d8e2d97ed66db98033d6b9a02264a52d2c3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
25ee27baa31c59fdf6cf5d18955ef985

SHA1
51d4725afa6d997cb7347c60a7d17485a8fb2ea7

SHA256
75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d

SHA512
8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

Download Submit
memory/2212-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing