a21973259874074601addf2d845658e98020b99381e244e58773fed3f3780a87

General

Target

GOLAYA-TOPLESS.exe
Size

180KB
MD5

f28c1e58c5766a111297588e8ab02361
SHA1

3d55a55fd6d193d32742fe89bf6041f9182ee447
SHA256

6e239da433517b0856f91d212baebdf1963d80ba6c546a440da19121580818ca
SHA512

e09add020c39a8fa5b14f094679daa9d0645f4c0fe39a33194e9c4c3cdadee05986904084387437203387d97be4381c9714e47451aff01e6a7e6fcb5ec9797fd
SSDEEP

3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0hL/eSZZvLf6CNsPrXJ8WYQKaLba:JbXE9OiTGfhEClq90GSZZvLCCNsPrXJa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	1100	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	GOLAYA-TOPLESS.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	GOLAYA-TOPLESS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	GOLAYA-TOPLESS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3980	1984	GOLAYA-TOPLESS.exe	65
PID 1984 wrote to memory of 3980	1984	GOLAYA-TOPLESS.exe	65
PID 1984 wrote to memory of 3980	1984	GOLAYA-TOPLESS.exe	65
PID 1984 wrote to memory of 1912	1984	GOLAYA-TOPLESS.exe	67
PID 1984 wrote to memory of 1912	1984	GOLAYA-TOPLESS.exe	67
PID 1984 wrote to memory of 1912	1984	GOLAYA-TOPLESS.exe	67
PID 1984 wrote to memory of 1100	1984	GOLAYA-TOPLESS.exe	66
PID 1984 wrote to memory of 1100	1984	GOLAYA-TOPLESS.exe	66
PID 1984 wrote to memory of 1100	1984	GOLAYA-TOPLESS.exe	66

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
fc2fcf4351f2aded0dada73e9f8d576f

SHA1
7b6e794c9366485a36e06eafb01d0f4a4d8691bf

SHA256
b0836c3e971d44ab408e6a809a891c3818ee80329f26af232295ef8518c9ba91

SHA512
4c673179d008c12685d282429afa89f477306624c473cc9475b90e09b58a69eee871cb26533d11f6c39c15a3693dd28ee3684dfed737f0b65c268842d1c24331

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
923B

MD5
7e250a4c3a7a6449119c02ffa9152fb3

SHA1
3d9e376ebd79cdcdf4545d2517e24bf4cc0ae3e5

SHA256
572ccd595ec789cc3c56de893214e2b102aaade4cf791b1df1a9d5d478343ce1

SHA512
ffa60a58dffeb27f9aa50e2e203ce817ec7af4bc29bb50cbe47e21ffa15d68afb15d517140ac1242e6604588adc3a205f0036eb2a45008d5d153e721a695fc17

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
700B

MD5
d00588d055e55ec3c9b932160f5d8871

SHA1
4ab42990617c4a65186da8b02c0029b38a4d6022

SHA256
ad14702ab903328311dfa29ac20ea72344153a92d4c5e26f46fa00b8c244f1aa

SHA512
fed047bd84641dfb44c4093e24f3e983f7f69f9e604bc1dae4156daf3b395855fa0d32f611df216cc05c599f0f7cf7daf5bb9da781a5890328d5bb1c83db8e91

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
2296897b43ba3d81a95d621853e0ef3d

SHA1
bd479992fbe2ec2145b295be5ab9ef8e317ea333

SHA256
078d83575dfe7286ddc05b29032dcf3de76d74cae149d94163fddf83c1f5df49

SHA512
ab9a82da93b1c4e89dd7b40ca5a489b4cbee366c2d5f0ca40c810248efcf32ca6c86abdc46fafaa838eaa5ea607740ac85bdda89f212c3669418ccd7d3e8619c

Download Submit
memory/1984-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing