Overview

overview

8

Static

static

3

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 04:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    149KB

  • MD5

    e1fb70408c7945c6524c321063bd9570

  • SHA1

    ebcd6a63fac9609c46e9c84708aa1e5701ee7775

  • SHA256

    3e2da7a655e400f9e6ad442d4db21bac0a9528bc825aaaa8fdd97406458a59ed

  • SHA512

    58751bd094dfc28c8b83085a480f70d1dfc97b990e69d90c4abe6ad5ec68c2a215445a664d5287bc624eab4175c2479fe6f0802b045fea61c12449af05f34814

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0higWrUzM/XP:AbXE9OiTGfhEClq9GWruyXP

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4468
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1432

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\salst\ogurets\all3.vbs
          Filesize

          343B

          MD5

          a70714342e5ae422f1d4b0a7de156938

          SHA1

          17623bd5629d4aaead0b48625ec873b92a4d7a38

          SHA256

          b207e48398159a5637bbffa95c4dd0065172a973163d1bdf12e4f5dc716236fe

          SHA512

          acb2a805a6d5b372b049f167e36d5fb4614efc4dc3ebbb7a10b9bd6c1aa15b95a7da189f041db752481cf5ff7a52bc9536e324f52a531f4cde017bb08f4323f0

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs
          Filesize

          743B

          MD5

          556b867977c81ea01eddf0d1dca64b09

          SHA1

          ff062063e4d879aba253391d65698ebe2e435f71

          SHA256

          16b74e98406c9237e29e4f943165f9bce680bcd2fdcb4179d8b8c4a474ff57c0

          SHA512

          8ad4380e76216d71403eba8c02da6536de86403f49b842b12b4dea6d5e09d7ced642717a0c004257db903538a4fdd4b341c2ef83568564fd0b9ca7ec45441867

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\podkati.bat
          Filesize

          3KB

          MD5

          29256f814d96aa9b1ba552ca27d5d8d1

          SHA1

          d9fa70fb8c7a1aa855b2d36e313e07951f9f5888

          SHA256

          7529f6ecd65340c10079f3dd2a902b2aeb5283cb26c3d6aeb9f16f98c247c3ae

          SHA512

          83638edabb754f0abc2bdbd09cdb6049869fea64ecbc8b13ae9a4d6ee03a8df4e64e73e3ac78b2811a46f0d6c2a6713f2d11d170eae18ec516de39574109a794

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\polenolll.pof
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\stuckja.jol
          Filesize

          43B

          MD5

          d78035c4c5b31de497461498fedee636

          SHA1

          e67dbea9bcc9deb3a93bc45bc936162ce431e1c5

          SHA256

          5d3a1308501ae2d5eac35d1166f833c6ee68bf4501789d7b8b0825373f5ede5c

          SHA512

          55da15d3f69422585bacfdc852780fa7c8db7b31a0cec251d7590a9850f919902d64e66c62d3e74ada9f8946fccd4f2988dd45533301d2580d7976b00b799785

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          d9a93296f8c62ab96271667c72d7a3b3

          SHA1

          abcf5a6ed773cfc978fc2176138778ad406c188a

          SHA256

          f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

          SHA512

          f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

          Download Submit

        • memory/4788-0-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4788-56-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download