ecf26209b4937cd41cdf83d14c39598a1aad08870fb0d508767a10e62b44e5d1

General

Target

GOLAYA-PHOTO.exe
Size

239KB
MD5

35e34f63ef670bfe60a3c221d567e654
SHA1

88fcc3e6e54f3a3db84246e6764f27dd6936f1ce
SHA256

6278837bb874cec55e1e76a4216e80a969ecb0f3997f95476532c8093fd68416
SHA512

423191b07909d5aedef8bc3cc5584ac70b7278993572d4f7a0600a731101b054a8abdb6aeb52a17c34b37bb3f46fc2d1a53eadea313203d72551eea8a492a766
SSDEEP

6144:EbXE9OiTGfhEClq9P0A6XAM93eblYuaOJJUG:QU9XiuioblYuaQ

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	3812	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	GOLAYA-PHOTO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.exe	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\10101010101010101010101010100101010101011010.la	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\10101010101010101010101010100101010101011010.la	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs	cmd.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.ini	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\loksjin serdchema\nedorosti samim\Uninstall.exe	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	GOLAYA-PHOTO.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 232	4592	GOLAYA-PHOTO.exe	33
PID 4592 wrote to memory of 232	4592	GOLAYA-PHOTO.exe	33
PID 4592 wrote to memory of 232	4592	GOLAYA-PHOTO.exe	33
PID 4592 wrote to memory of 3812	4592	GOLAYA-PHOTO.exe	37
PID 4592 wrote to memory of 3812	4592	GOLAYA-PHOTO.exe	37
PID 4592 wrote to memory of 3812	4592	GOLAYA-PHOTO.exe	37

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\loksjin serdchema\nedorosti samim\lap_lap-kol_pois_oaloa.fok

Filesize
112B

MD5
a97805a7dcdf57804ebce37d2599a681

SHA1
99cfacb04b6bbe087d6c46e3d920ba9ab0a4f056

SHA256
0c6fa09a4144b4313cd2a859b98b622f836c1ea311d84aca4dcd25f706d35039

SHA512
dca01920001d10435669e51f2ba65159e9997bc0e4a3f12e0b52b66061e402194d01ac8cfd74c53499cdf59aa9f6adf3fa0e5e73b6ef1d4c0e8a5bc9955ab1c9

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\put_ya_flower_to_unita.bat

Filesize
1KB

MD5
566a552d406d27e2a880c5558bb27a50

SHA1
49acdfdfc158be303f79fb60ab712b0fe1abe87c

SHA256
f7a3cada1d699adf2346fd0cab1d12bea9a31da9ba912c8645bbc8eebf20644b

SHA512
70beea33263e2aa349fd6f8438eb6b87b1a88929fbfa5ace76573e888941d805aa76bcb80e1c31d8ffab90b630b4dc19f44a5404287130e16261c54102ae0a78

Download Submit
C:\Program Files (x86)\loksjin serdchema\nedorosti samim\skolidbfwbfngpxvbbo3ignbglsnflhlsbsvgkblebrhbkfb.gggog

Filesize
1KB

MD5
dab668821ca8283fb9483edcfa6a2a26

SHA1
eea584b7f6e9b445c05bffddafa6429e722c04d4

SHA256
23c472f534ce91061e9f9412ec82afe266fb97a6fb26c065e0ed638db2c7cd73

SHA512
6601f98ecdbe22794cbbc42d4b93df86cf9e0d931cbab84f1837df54c5638d332d279030911bddb165087dc29a01ab648d7549a1b0f58c9ffb76be7e4bb426d7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
e895b77e7ccb25b85bced418a87608bd

SHA1
c7ca319ed930fb7451f3f71dd3cc28b447917630

SHA256
ff2cab78345bcf7b012854a3318bb2ff9469069b977c67d52b42f613f2bd4a1b

SHA512
696f37d0b5791cdde648b6ef93e5518f1861afd6b7c0f5d8ecd3d9e2773e3175c69c2b9ab9c392ec73ff03a74dacc08ddb090033dfa5d9de6140e82d444d2f85

Download Submit
memory/4592-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing