19ec847acc53e0bd820002da49fd7275d5d4573de2376543fb800183675b8488

General

Target

GOLAYA-PHOTO.exe
Size

239KB
MD5

5320277e4c76722726a9e237ae0a0f26
SHA1

82c5cb1976639e65d34d3c1e51fa8e63cc067860
SHA256

112d224d6a3aa266a091addf132124c66d2c37528bd8c576a761f45cd9d82eda
SHA512

5f24a146005f705f7db96dfea7ba6c05c60af5ae40c7ba36b5729650f42440c8b74cc588cc631fe0d656d774cf786b294ff782005d8b9f8991343f74650ffe69
SSDEEP

6144:MbXE9OiTGfhEClq9528TfdRoWRg+lNOEJJUm:oU9XiuiJ8DRxl5

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	3196	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	GOLAYA-PHOTO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	GOLAYA-PHOTO.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4872	4492	GOLAYA-PHOTO.exe	91
PID 4492 wrote to memory of 4872	4492	GOLAYA-PHOTO.exe	91
PID 4492 wrote to memory of 4872	4492	GOLAYA-PHOTO.exe	91
PID 4492 wrote to memory of 3196	4492	GOLAYA-PHOTO.exe	94
PID 4492 wrote to memory of 3196	4492	GOLAYA-PHOTO.exe	94
PID 4492 wrote to memory of 3196	4492	GOLAYA-PHOTO.exe	94

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:4872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
145be08a3a04bebad33b7816f025b4b4

SHA1
f1e01e5d7d0628bd7fe21a62f71800ec6a89b06b

SHA256
ea9f727bc90fa8586d0f53ed7d9327b1bc1d2a931c7f1cae5e2b43f0e785683a

SHA512
b34998bf04447b8773fee8ca28ad78158b3062de407cc95611a0e388dba1070529714ef3051779e5316b1bb0654110d5954db77dd86e77d44c7221847c17d35f

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
97B

MD5
3807e1f3cb6ac7e9c85010cdcd2f1f45

SHA1
777efdef5312f5cc7631ade918101598b9db0987

SHA256
5b6842d21454ad96181462652e7c62ad19151a09aaeada14cdc3e1d1784cc637

SHA512
aa15e58fb0beb18ac94d1712b60d8162229983aa7155a859b8f978f8c9dc467b67d7b2eee9e9cb8835692691342c4ace9621ebd56bd83a4eeb0d6deba5671d40

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll

Filesize
1KB

MD5
bd49e7ded871e3b7618124c879e562a7

SHA1
91579d82f8dbfdd79e0bcce705fbb34ae7eadc01

SHA256
7a1eed6715c27722fbc04252fc514e8cbbdeb4dd54a9abaf306a8a1cdf0b3a2a

SHA512
0924433074a8ab4b93bdd4ff18205c9298f51d6c4810e45c671c026d98a48f7031634f2a3b4cec95e9573ed6559915a57b9a3dbda450cacc4e239ee31bc77018

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b4434980101442bcce3e0b0f6d12d743

SHA1
1a68111eba898c9b337b1dcd8cd803e339df5335

SHA256
9e8f7c183744c28ee7e84f2804a12185b1d330e25a929dd71c1adee6f6dbfb93

SHA512
86fc9e287d669446159989e463774cba0a5105c5394231782f41fd61cb41647ab48b4d773de11e06538721c4b10900548ac328e38fbfac217927dd9f9fdf9941

Download Submit
memory/4492-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4492-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing