10bda913df3f68e0af2c252e4fdd949b42d463a93c8aacedeb5633ecd77dbb24

General

Target

GOLAYA-BABE.exe
Size

149KB
MD5

e1fb70408c7945c6524c321063bd9570
SHA1

ebcd6a63fac9609c46e9c84708aa1e5701ee7775
SHA256

3e2da7a655e400f9e6ad442d4db21bac0a9528bc825aaaa8fdd97406458a59ed
SHA512

58751bd094dfc28c8b83085a480f70d1dfc97b990e69d90c4abe6ad5ec68c2a215445a664d5287bc624eab4175c2479fe6f0802b045fea61c12449af05f34814
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0higWrUzM/XP:AbXE9OiTGfhEClq9GWruyXP

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
37	632	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\salst\ogurets\lit.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\122.txt	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\salst\ogurets\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\podkati.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\stuckja.jol	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\polenolll.pof	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\all3.vbs	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	GOLAYA-BABE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4684	4136	GOLAYA-BABE.exe	93
PID 4136 wrote to memory of 4684	4136	GOLAYA-BABE.exe	93
PID 4136 wrote to memory of 4684	4136	GOLAYA-BABE.exe	93
PID 4684 wrote to memory of 632	4684	cmd.exe	95
PID 4684 wrote to memory of 632	4684	cmd.exe	95
PID 4684 wrote to memory of 632	4684	cmd.exe	95
PID 4136 wrote to memory of 1620	4136	GOLAYA-BABE.exe	96
PID 4136 wrote to memory of 1620	4136	GOLAYA-BABE.exe	96
PID 4136 wrote to memory of 1620	4136	GOLAYA-BABE.exe	96

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs

Filesize
743B

MD5
556b867977c81ea01eddf0d1dca64b09

SHA1
ff062063e4d879aba253391d65698ebe2e435f71

SHA256
16b74e98406c9237e29e4f943165f9bce680bcd2fdcb4179d8b8c4a474ff57c0

SHA512
8ad4380e76216d71403eba8c02da6536de86403f49b842b12b4dea6d5e09d7ced642717a0c004257db903538a4fdd4b341c2ef83568564fd0b9ca7ec45441867

Download Submit
C:\Program Files (x86)\salst\ogurets\podkati.bat

Filesize
3KB

MD5
29256f814d96aa9b1ba552ca27d5d8d1

SHA1
d9fa70fb8c7a1aa855b2d36e313e07951f9f5888

SHA256
7529f6ecd65340c10079f3dd2a902b2aeb5283cb26c3d6aeb9f16f98c247c3ae

SHA512
83638edabb754f0abc2bdbd09cdb6049869fea64ecbc8b13ae9a4d6ee03a8df4e64e73e3ac78b2811a46f0d6c2a6713f2d11d170eae18ec516de39574109a794

Download Submit
C:\Program Files (x86)\salst\ogurets\polenolll.pof

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\salst\ogurets\stuckja.jol

Filesize
43B

MD5
d78035c4c5b31de497461498fedee636

SHA1
e67dbea9bcc9deb3a93bc45bc936162ce431e1c5

SHA256
5d3a1308501ae2d5eac35d1166f833c6ee68bf4501789d7b8b0825373f5ede5c

SHA512
55da15d3f69422585bacfdc852780fa7c8db7b31a0cec251d7590a9850f919902d64e66c62d3e74ada9f8946fccd4f2988dd45533301d2580d7976b00b799785

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a93296f8c62ab96271667c72d7a3b3

SHA1
abcf5a6ed773cfc978fc2176138778ad406c188a

SHA256
f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

SHA512
f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

Download Submit
memory/4136-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing