b385184a00e274bc542ddf7980a5cf665d1c4e71207d8b0d316ce87ad1a8fb17

General

Target

GOLAYA-BABE.exe
Size

150KB
MD5

13064a1549e859958c07462c9b2f0a58
SHA1

da6a8be2da028023ad9a350845eae67a64b5bf7e
SHA256

dd8a4e021d917b7085788dcdf7d881c679a17416493fcf45ebbfedbed0df32ea
SHA512

f28a80bb53fbcb0aed10248a69e7dfbb93671d689d3df6f73eb57b6220348c25cfdb3c0cf2f791aedd44267dba4401d5c0392a2da3f460f25b3509260d2fe533
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hirrmrtA8ujM1jo:AbXE9OiTGfhEClq9dmLsM1E

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
73	3332	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\dus_dezodorant\mouyus\Uninstall.ini	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\tutunas.nistyak	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\90909090.ico	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\dus_dezodorant\mouyus\readme.txt	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	GOLAYA-BABE.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4940	4492	GOLAYA-BABE.exe	95
PID 4492 wrote to memory of 4940	4492	GOLAYA-BABE.exe	95
PID 4492 wrote to memory of 4940	4492	GOLAYA-BABE.exe	95
PID 4940 wrote to memory of 3332	4940	cmd.exe	97
PID 4940 wrote to memory of 3332	4940	cmd.exe	97
PID 4940 wrote to memory of 3332	4940	cmd.exe	97
PID 4492 wrote to memory of 1964	4492	GOLAYA-BABE.exe	98
PID 4492 wrote to memory of 1964	4492	GOLAYA-BABE.exe	98
PID 4492 wrote to memory of 1964	4492	GOLAYA-BABE.exe	98

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dus_dezodorant\mouyus\drochka_peredrochka.vbs

Filesize
789B

MD5
fbfaf5456d9016723c58958bbb6fcb99

SHA1
38d0c30b1d89f76a0471f528d6f3536061661a9b

SHA256
22dcf67869a40499096986790585adef290eb556c85077ac1b5a9f5d2f0ef17d

SHA512
537c9b09a96b107cf26a1a2b5aa8a513fed2632b3fdaf932d44fa63b78a1d91bd78cce7c5d7794025785c79091171a52546bb8f42f927cb1072f45873a32f2d6

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\fifa.vbs

Filesize
316B

MD5
9a6686649e0ccb189c6122695cb7acb3

SHA1
925042488d9b06013ee5c1c8372a7980d335fab3

SHA256
f8bcebb93f79463e73675bb1f611debda612e5d48237092aed4604f1da837e69

SHA512
173b08167eff99101732f6b08f7111e1d6c1c998bc9794a93530857cf49183bd651340a592360c2a75b259ee83118b63c25732f01342bb5ada96467dc2e4eed6

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\readme.txt

Filesize
39B

MD5
8cdff5761878e3cf771aea2aa10c1a4e

SHA1
8f7c0e2f1642ae768f3f2f9a45992a1f57c26aba

SHA256
c0c37efa00039b77e1b72d650ef0622c65db937771617ee3f0e3adf7f480360c

SHA512
730c5dd152d8f7a48f5bcda68f10b7f64235938b106479b8340fc3bbe4cfde113219deef03ca7726bcd7c9dfbcd12e4f53c631b20a77a51644ae1c1bc10e0ab4

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\tutunas.nistyak

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\dus_dezodorant\mouyus\zelands.bat

Filesize
3KB

MD5
25a0b02e83ef7cc0e50772e9ca8fdbe9

SHA1
5bf8d941645128fc22548c44d1cb9f64b0cfb360

SHA256
fd0e09bfa5c5af35ed2b17b0c3a63740fcf657550fff9a397c1a1f69af246863

SHA512
b15105e92adf78c304e7ccbd2a87946a08897ab10b009643348e7675806646a3159c632f5aa788ee6ca8128cb8f76a3d77aaa49fe6e4d9ee17748b35166562bd

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a93296f8c62ab96271667c72d7a3b3

SHA1
abcf5a6ed773cfc978fc2176138778ad406c188a

SHA256
f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

SHA512
f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

Download Submit
memory/4492-36-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4492-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4492-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4492-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4492-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4492-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4492-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing