b5f57bf0d809de4cb6480f178dba2eb9297ae1d688cb3a75143f6d0a086e82f4

Analysis

max time kernel
0s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-PHOTO.exe
Size

180KB
MD5

63f222fa3dec54c99fa71bfbef798cab
SHA1

a6aa7dca45be30f5f1f0a2c0cf24c15637fe33f4
SHA256

47bfc569cb27c9596d81d144a9af37d5f378dcdaf73d6c416b86362739354b8f
SHA512

75c8086cd6dce1433e426f8f65d893130847b0ded224a4c6f26ebc6ee1ef9a33299da4f8902067697717b3cd8e4a855018929fb8d562c9581e79d023ae46e2df
SSDEEP

3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0h+tzYOuIPA:1bXE9OiTGfhEClq9dYpII

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2744	1700	GOLAYA-PHOTO.exe	22
PID 1700 wrote to memory of 2744	1700	GOLAYA-PHOTO.exe	22
PID 1700 wrote to memory of 2744	1700	GOLAYA-PHOTO.exe	22
PID 1700 wrote to memory of 2744	1700	GOLAYA-PHOTO.exe	22

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs"
  2⤵
  PID:2588
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat" "
  2⤵
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download