Overview

overview

8

Static

static

3

PHOTO-GOLAYA.exe

windows7-x64

1

PHOTO-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 15:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    149KB

  • MD5

    f5114a6a5fac2aaa5993724d1c87edb9

  • SHA1

    2a280420019d46fda987f67277053fcf75907ae2

  • SHA256

    546198362c7ad11031c368f55fb2a3dde1b373eabcf149381e231ce2acfd0725

  • SHA512

    89b0a6d3f95851b42d7c80a681cfcaa8e948a5d8b494816cff2a7bfaec6900846e7f2b6eae567445176f2c61a9b1297bd7a7adbfdc2bcced222236f902f2dc66

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiiMYWeITf9i7ok6k:AbXE9OiTGfhEClq9OIxiX6k

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Company\NewProduct\koollapsa.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3336
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\al99999.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1224
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\all2.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2560

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Company\NewProduct\al99999.pp
          Filesize

          255B

          MD5

          b04b812595c77552f793266087d01e48

          SHA1

          8aa91687c493c205fff5276ff9c5ba423d413900

          SHA256

          cd4d0ac5a7d4ba74dd5b21e60ecfa906a2983a0a14c4c98c1f72407bdd3fa74a

          SHA512

          e79812a137b0a5745d819bdd2f27897eab212846cddd938d5ff3de85f7f3d2ad963f744e26dead379b7453a0be3e70a0676e1d5935d09c04b45de64a735ad394

          Download Submit

        • C:\Program Files (x86)\Company\NewProduct\all2.vbs
          Filesize

          710B

          MD5

          e5a802d1a0ae777a8608b563a1e4560f

          SHA1

          9348d515e91f7928cd905f07305b213ced3715ba

          SHA256

          9b00dbf70757dabc2f8dc2fe7454c71ad08e0ddeb98810be4f8174f5efece013

          SHA512

          a7d0e1403f5fe3c66c3e5348bbc9cf09ff6e9a7be170461db8a6b0b330a1946eed90bb32c65d50f4b7b193efc40911fe0c4e9eafb2a10a6a4f0b87c3ed9bc441

          Download Submit

        • C:\Program Files (x86)\Company\NewProduct\hhhh.txt
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Program Files (x86)\Company\NewProduct\koollapsa.bat
          Filesize

          2KB

          MD5

          e8744368525a875205e7deaa1e7ed2b9

          SHA1

          9021736420e3099e3e4bcbe663879f204cf6a42a

          SHA256

          5069c594f2a182ad825dfc17f598ed1b916344c4df89de29fd11f02f5d05fc25

          SHA512

          f53a692ebd968840a87018b2cbd84b4b79a79f0005bfd80e3bf9aa1f4a569220e91265ddd91fc3e7445fa5d1ba2d2727d9da57673491b5f4173c12c58ab8b2a4

          Download Submit

        • C:\Program Files (x86)\Company\NewProduct\slonik.po
          Filesize

          53B

          MD5

          ea979707f3b764bb471a7db90ab1cc7f

          SHA1

          7888f60b6d486a104525cc9737d65532fd0e4b2d

          SHA256

          070ddbb0b3d083f95194ef4105e86baae4beb6fda76b1f701416d1db421053fc

          SHA512

          659eb954b55ab126c63dbd911fe440752b98e7305070113dc9aba4f67aee2424a089e658abefd4afe16b3ab2f365487b738b4ac970e97a5a448046d4ba177efc

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          d9a93296f8c62ab96271667c72d7a3b3

          SHA1

          abcf5a6ed773cfc978fc2176138778ad406c188a

          SHA256

          f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

          SHA512

          f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

          Download Submit

        • memory/4328-3-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4328-51-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4328-59-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download