a3fea87688742a4539e4756f9a2d23ac5b3e81b45ef350e6583a000aeea1dd1b

General

Target

GOLAYA-BABE.exe
Size

180KB
MD5

79edd945122f4c8e7a4eb728f12168a4
SHA1

6b003a03c1a1752661e4beb10eb47a55de396e16
SHA256

7705d494ac9653a3d421c4199f53e3d00661cafce7c560fd5e561a0946a6b445
SHA512

8a71176d2489453c1480be2d4d27b96675a5fd8b12b6aa8c804cca429c15c99c7925e60b1baf27e5b48386626955d793f1912aabfce013d04e10c2fc50b05772
SSDEEP

3072:iBAp5XhKpN4eOyVTGfhEClj8jTk+0hUEQeozxaN:xbXE9OiTGfhEClq9rEQFE

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2560	WScript.exe
5	2560	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2672	2296	GOLAYA-BABE.exe	29
PID 2296 wrote to memory of 2672	2296	GOLAYA-BABE.exe	29
PID 2296 wrote to memory of 2672	2296	GOLAYA-BABE.exe	29
PID 2296 wrote to memory of 2672	2296	GOLAYA-BABE.exe	29
PID 2296 wrote to memory of 2864	2296	GOLAYA-BABE.exe	31
PID 2296 wrote to memory of 2864	2296	GOLAYA-BABE.exe	31
PID 2296 wrote to memory of 2864	2296	GOLAYA-BABE.exe	31
PID 2296 wrote to memory of 2864	2296	GOLAYA-BABE.exe	31
PID 2296 wrote to memory of 2560	2296	GOLAYA-BABE.exe	32
PID 2296 wrote to memory of 2560	2296	GOLAYA-BABE.exe	32
PID 2296 wrote to memory of 2560	2296	GOLAYA-BABE.exe	32
PID 2296 wrote to memory of 2560	2296	GOLAYA-BABE.exe	32

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
677acb7738ee7be8bfc68975a72a44f5

SHA1
fac8e4c415a2c632cfc6b84bb3cc78e1e271973f

SHA256
0d9aeb5672dcc6fa73d638ec25830be10f332011858ca98ffe2337ecf455145b

SHA512
3693d61baaa53ffcd5f0146a768836496b4fc05f7ce7b0bc0f42ee401920821425edad772a51ff0f4c5762a5339138c85acc6577d636cde5c584acee1b458779

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs

Filesize
905B

MD5
c5fabb543ab7826e949083ad07ce0f2c

SHA1
59f6cde9ab0b0b0185e71a72392411c6c44a4af7

SHA256
e5d4a4596c6065bc92af5ebf9ea5ff80e923473f652a8cda2417a760302fa3f7

SHA512
c1503e2209635c883557471cce6e25f74a7665f8bc92d360e8b3ebce85ff106703dbc65e74bd7524f3cde4c717ff4d61b4b08ceec4c6bfd727b6bc2e8ee99cba

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs

Filesize
641B

MD5
40f1f0084c5d05c0d4fe5b2035929cc4

SHA1
cb1623560ae101153415ac9631e042b402d99a75

SHA256
bb9202780312fadb1eee3ce7b57fe16c9921dfb5dbc0f2f73b473b21091954f0

SHA512
10a7f522260025fba22dc3271aac6e7332b57b03964e2498b4fc686c8fb4bb0928655df88ff8ce7d498f4a1502c81b119417c3823d19e876d0e4a625c464503b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
25ee27baa31c59fdf6cf5d18955ef985

SHA1
51d4725afa6d997cb7347c60a7d17485a8fb2ea7

SHA256
75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d

SHA512
8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

Download Submit
memory/2296-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing