Overview

overview

8

Static

static

3

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    149KB

  • MD5

    0196884e4ae0fc48c9bf5f8260502466

  • SHA1

    40a78aeb8bcd7abd24088e1103ac3b292c30992a

  • SHA256

    20621acdaf45c4cbcdeb972a78a8baca5cb0327489da84523c406a1e740ec7ab

  • SHA512

    cb9a56c4c3415c955befeaedcf83e92fbe768e1bcef07d280f0c5a3f047bbc6f9dc58532c4562088ee44bd8ec69acba371e22f42b92319517bd4d1cb6a66a55f

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiHZYpz4PIsa:AbXE9OiTGfhEClq9k54PId

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\slusat\suffaling\ebanettkebanet.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:888
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\slusat\suffaling\podkluchidruga.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:720
  • C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\slusat\suffaling\sitbaby.vbs"
    1⤵
    • Blocklisted process makes network request
    PID:1348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\slusat\suffaling\ebanettkebanet.vbs
    Filesize

    884B

    MD5

    7e070563d0c8bf0f083b07d68389f706

    SHA1

    47b6834223c5597774a3a045dedece938f4a2e48

    SHA256

    54001e5eb3ccd7cda65ca05e1cdeab43e22db8fd05d8d80759bf6fee0c4ed0b4

    SHA512

    adf4dcdc420cba0bdf86d038361e0fb643ccda8099fb79abac0c0b68d6a95cd11f32f169d58cb39e9700b48d10aa70502216fa7bd8c2765a8c86812909eebd22

    Download Submit

  • C:\Program Files (x86)\slusat\suffaling\nerabotaert.life
    Filesize

    65B

    MD5

    64ae0715e0770708dcf1ebc677ced690

    SHA1

    e2c51aa34d8e771bd9555c9484b940411af77744

    SHA256

    1b7a9316e9319e5a14b488159b0a41b81d838e0546ae1767da85ca5f533acf23

    SHA512

    5537a48eb41657252757cee21b51477a2b1e15e066f4cba090c87f7de8293297f9944be0859ecf20e41733bf5d4f3d994d35ab2594c5ab7e09e826d5cbb1495e

    Download Submit

  • C:\Program Files (x86)\slusat\suffaling\podkluchidruga.bat
    Filesize

    4KB

    MD5

    e09982b4f7254a0a5a906cbacfc7b976

    SHA1

    8e0717e4993d6cbb67bb77b0ce0cb9b033d6cf33

    SHA256

    4c8e0924e9d424a4f82da2dba694e6ce00405f99876100be76a4fbc6dfe9479e

    SHA512

    a0bff8820a5f39b98fdfa03f8b0e1e6bb05bc50a4ef7671e0ee80b5afc4e7e5b912da5da038627d808a1850c89320009982664988a9468baa77fd0ffd3e91c04

    Download Submit

  • C:\Program Files (x86)\slusat\suffaling\sitbaby.vbs
    Filesize

    360B

    MD5

    6ee75ac07365c99a117a2f947003a19a

    SHA1

    09ef4f1a459faa8be9f3995688c32587c2b45392

    SHA256

    14be2b44e68f3463c783d0bbb83e8468a5967b64711592c5c6ca51b60533febc

    SHA512

    f9a897fa1a07958ccc594a065809cea8068ee837244d4415696e0c76e393c4394aefa6b4ebbf56184ee9a6433d29b9b673108ffe018cf871840c743784e8f15d

    Download Submit

  • C:\Program Files (x86)\slusat\suffaling\slonik.pokakal
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    d9a93296f8c62ab96271667c72d7a3b3

    SHA1

    abcf5a6ed773cfc978fc2176138778ad406c188a

    SHA256

    f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

    SHA512

    f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

    Download Submit

  • memory/3304-55-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download