506372c1fb52fc5d55aa4a4d58870ddd6629efab5378189e83d6b895fc35ea1b

General

Target

GOLAYA-RUSSKAYA.exe
Size

180KB
MD5

437dd1b2355209aa9a91f832845f85fc
SHA1

0ccd0140517c9c067408fb4774cb5e526859dc70
SHA256

6b7e6cad21a6484563780fb7244451b9b6f05b222295e6dd411f1bf86a073b71
SHA512

f8713bfb008db72c76ca2260c1e519abb3fcc69629480f2ce86d2c2f1b7b190669c5c6c0113546cf95df427e3e482e0a4fb38fd0884a9aaf65d6c1de000a1a3c
SSDEEP

3072:SBAp5XhKpN4eOyVTGfhEClj8jTk+0hkfEihIemxerel:hbXE9OiTGfhEClq9FffhbmxSel

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	696	WScript.exe
5	696	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\besthoice.paws	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\photo will appear\Top Dog of the Week\cat\WichitaKansase.bat	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\teenageboyandhisparents.vbs	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\seaonbyonethisweeken.vbs	GOLAYA-RUSSKAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3044	3068	GOLAYA-RUSSKAYA.exe	29
PID 3068 wrote to memory of 3044	3068	GOLAYA-RUSSKAYA.exe	29
PID 3068 wrote to memory of 3044	3068	GOLAYA-RUSSKAYA.exe	29
PID 3068 wrote to memory of 3044	3068	GOLAYA-RUSSKAYA.exe	29
PID 3068 wrote to memory of 2156	3068	GOLAYA-RUSSKAYA.exe	31
PID 3068 wrote to memory of 2156	3068	GOLAYA-RUSSKAYA.exe	31
PID 3068 wrote to memory of 2156	3068	GOLAYA-RUSSKAYA.exe	31
PID 3068 wrote to memory of 2156	3068	GOLAYA-RUSSKAYA.exe	31
PID 3068 wrote to memory of 696	3068	GOLAYA-RUSSKAYA.exe	32
PID 3068 wrote to memory of 696	3068	GOLAYA-RUSSKAYA.exe	32
PID 3068 wrote to memory of 696	3068	GOLAYA-RUSSKAYA.exe	32
PID 3068 wrote to memory of 696	3068	GOLAYA-RUSSKAYA.exe	32

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\photo will appear\Top Dog of the Week\cat\WichitaKansase.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\teenageboyandhisparents.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\seaonbyonethisweeken.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\photo will appear\Top Dog of the Week\cat\WichitaKansase.bat

Filesize
678B

MD5
b51d7ebd78adc7346f57f138e60db926

SHA1
332ef6f0ac6e604e0c0fdba8360cd930e442a5ad

SHA256
bcedf4b4b0589d02ed543f9411beb5b11112e3dceb3761f5e1d7e7fda201a6d6

SHA512
f77b8fe4b5857eea1606fac11cf059b4d5ed949bebc4c1949e3526bd31e0404ad65a69312220e3613687f9eca72db920143fce5d0f08d67b56299ef15dade35e

Download Submit
C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\besthoice.paws

Filesize
61B

MD5
20d85a9e9af49d48895cb700a1d85968

SHA1
2f771ce331603dc5f9a9187c42c9cee981f818a9

SHA256
9a37f2686ff885eaa643dc7c7d38a8fcf1879ee184bf85fa983ec5931d5277eb

SHA512
b06ad097286ff036ebd805cff4d1babc25953984504713ae4a0289336f813c18c03c927b12559a92cea596e10f4069c8d0c03fbc98590ad2e3d4e119ea14ae30

Download Submit
C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\seaonbyonethisweeken.vbs

Filesize
522B

MD5
751a1375ff8b8740c9f6f01829bca218

SHA1
f10e6eef7e5d16feec54eaabaa1a2e40ef423d41

SHA256
7c525dd341e3290e18403b97ef4672805a41d12b2e5cf890239a1cafb598c0b1

SHA512
5987a3e689952e8379218b02286f7e3565886d2f1ebe4cefcb1a23caff0b5d4f41082a03b2c4fbb64ba3d943414a9f72dffa12485869ab35c8a14c7d743513cc

Download Submit
C:\Program Files (x86)\photo will appear\Top Dog of the Week\dog\teenageboyandhisparents.vbs

Filesize
772B

MD5
328c0aa6c4df61a1c4a6bfc9837f360e

SHA1
2eecc3814558441bdafd521919df93f86fd3a7e7

SHA256
91c7971a2b0ce4d650d29223e3171d120c52f5d165c18f0aab0117c784945f73

SHA512
4c1c6301cdbf4d0c666c03e6f6d19b4c6a3a3ca23f54d1526b7ea24c6562383006757565d8406caf29b92144a327df11771dbf593bad8bd65bd081f7c450b3a0

Download Submit
memory/3068-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing