d40ffbdfb7a95ee4a651feeecbc1e1fe69342abbb3d80e89b0edea43483328ae

General

Target

GOLAYA-BABE.exe
Size

180KB
MD5

f28c1e58c5766a111297588e8ab02361
SHA1

3d55a55fd6d193d32742fe89bf6041f9182ee447
SHA256

6e239da433517b0856f91d212baebdf1963d80ba6c546a440da19121580818ca
SHA512

e09add020c39a8fa5b14f094679daa9d0645f4c0fe39a33194e9c4c3cdadee05986904084387437203387d97be4381c9714e47451aff01e6a7e6fcb5ec9797fd
SSDEEP

3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0hL/eSZZvLf6CNsPrXJ8WYQKaLba:JbXE9OiTGfhEClq90GSZZvLCCNsPrXJa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	720	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	GOLAYA-BABE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2560	396	GOLAYA-BABE.exe	37
PID 396 wrote to memory of 2560	396	GOLAYA-BABE.exe	37
PID 396 wrote to memory of 2560	396	GOLAYA-BABE.exe	37
PID 396 wrote to memory of 2992	396	GOLAYA-BABE.exe	39
PID 396 wrote to memory of 2992	396	GOLAYA-BABE.exe	39
PID 396 wrote to memory of 2992	396	GOLAYA-BABE.exe	39
PID 396 wrote to memory of 720	396	GOLAYA-BABE.exe	40
PID 396 wrote to memory of 720	396	GOLAYA-BABE.exe	40
PID 396 wrote to memory of 720	396	GOLAYA-BABE.exe	40

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
fc2fcf4351f2aded0dada73e9f8d576f

SHA1
7b6e794c9366485a36e06eafb01d0f4a4d8691bf

SHA256
b0836c3e971d44ab408e6a809a891c3818ee80329f26af232295ef8518c9ba91

SHA512
4c673179d008c12685d282429afa89f477306624c473cc9475b90e09b58a69eee871cb26533d11f6c39c15a3693dd28ee3684dfed737f0b65c268842d1c24331

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
923B

MD5
7e250a4c3a7a6449119c02ffa9152fb3

SHA1
3d9e376ebd79cdcdf4545d2517e24bf4cc0ae3e5

SHA256
572ccd595ec789cc3c56de893214e2b102aaade4cf791b1df1a9d5d478343ce1

SHA512
ffa60a58dffeb27f9aa50e2e203ce817ec7af4bc29bb50cbe47e21ffa15d68afb15d517140ac1242e6604588adc3a205f0036eb2a45008d5d153e721a695fc17

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
700B

MD5
d00588d055e55ec3c9b932160f5d8871

SHA1
4ab42990617c4a65186da8b02c0029b38a4d6022

SHA256
ad14702ab903328311dfa29ac20ea72344153a92d4c5e26f46fa00b8c244f1aa

SHA512
fed047bd84641dfb44c4093e24f3e983f7f69f9e604bc1dae4156daf3b395855fa0d32f611df216cc05c599f0f7cf7daf5bb9da781a5890328d5bb1c83db8e91

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c0805e6fff9d30c65b91bc9284beac8e

SHA1
45456e27d6632159ed7e4403caa1a16721c3b603

SHA256
53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

SHA512
34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

Download Submit
memory/396-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing