1044712e97e70f54a8a13c2d0afaf3c9eff6bf50e2554b468f2911c210db5a66

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-TOPLESS.exe
Size

238KB
MD5

7710fc4fcea932679b40d31d409ae117
SHA1

bb5dfd38943356d6c1cff6b12d32f1cb54af6d35
SHA256

11abaf6a3b196588408e4d7fe8bf9a7d9b1a9b9bb3eeeb3dc2215be38f18eefa
SHA512

7fb1e792e8d2533a5aa4927971249d59f25fe2fe7067b9a1dbbb71aa1a5964bd7efb75822c73ffdef9ff118982e42b870c883229fa37eee228f3d11026574b06
SSDEEP

6144:MbXE9OiTGfhEClq9528TfdRoWRg+lN/JJUm:oU9XiuiJ8DRxl5

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2856	WScript.exe
5	2856	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2804	2212	GOLAYA-TOPLESS.exe	17
PID 2212 wrote to memory of 2804	2212	GOLAYA-TOPLESS.exe	17
PID 2212 wrote to memory of 2804	2212	GOLAYA-TOPLESS.exe	17
PID 2212 wrote to memory of 2804	2212	GOLAYA-TOPLESS.exe	17
PID 2212 wrote to memory of 2856	2212	GOLAYA-TOPLESS.exe	15
PID 2212 wrote to memory of 2856	2212	GOLAYA-TOPLESS.exe	15
PID 2212 wrote to memory of 2856	2212	GOLAYA-TOPLESS.exe	15
PID 2212 wrote to memory of 2856	2212	GOLAYA-TOPLESS.exe	15

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
f17d1131d70c2bdb19dd02e4e3ce329a

SHA1
b94bec3322500c7ed985b771fd69ad29e2727d18

SHA256
d3bb53de9670b8be634b53c3202850684fae7b1487d4556a7354dcafd37395e9

SHA512
36269e665653a40c995c3764e79e73e0de5e17ecf19327752b4a5a255d7f99b539e336d17beb66f32246243f0acf8bdbf2d0bc64ec53f2a9f12f24a7d5e2c005

Download Submit
memory/2212-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2212-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download