f137523a35e349e52d07373173fdc3048647ed610a1bb117bde631980665893e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-BABE.exe
Size

240KB
MD5

934d29283079d878fae23838ff5d156b
SHA1

773c0ba664625a4030af3b8ea321de5ee0e029c6
SHA256

fe9d78c0c394e248da57fc5693fe5cb0a759489c93ae300adef582f1069413c6
SHA512

d410f0196092ad17a00496a587cd135e610efd6af47091731be9040d9426e2d24641e5989dc753d4e9d7ba3f126f8f2ce467f006c303a659cfb8495c8c119fc2
SSDEEP

3072:4BAp5XhKpN4eOyVTGfhEClj8jTk+0hnbGsthRX1Tr+Cgw5CKHe:vbXE9OiTGfhEClq9uLhjyJJUe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2712	WScript.exe
5	2712	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\Uninstall.ini	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2408	1960	GOLAYA-BABE.exe	19
PID 1960 wrote to memory of 2408	1960	GOLAYA-BABE.exe	19
PID 1960 wrote to memory of 2408	1960	GOLAYA-BABE.exe	19
PID 1960 wrote to memory of 2408	1960	GOLAYA-BABE.exe	19
PID 2408 wrote to memory of 2712	2408	cmd.exe	15
PID 2408 wrote to memory of 2712	2408	cmd.exe	15
PID 2408 wrote to memory of 2712	2408	cmd.exe	15
PID 2408 wrote to memory of 2712	2408	cmd.exe	15
PID 1960 wrote to memory of 2592	1960	GOLAYA-BABE.exe	16
PID 1960 wrote to memory of 2592	1960	GOLAYA-BABE.exe	16
PID 1960 wrote to memory of 2592	1960	GOLAYA-BABE.exe	16
PID 1960 wrote to memory of 2592	1960	GOLAYA-BABE.exe	16

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs"
1⤵
- Blocklisted process makes network request
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download