Malware Analysis Report

2025-08-10 22:50

Sample ID 240108-evfp1sahcr
Target 4a6997ddb679ba971b941cad2c32c409
SHA256 c4054d2220af93231fbe5137e7be605277ccf75f9acb5c01fe332bceb74393ee
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c4054d2220af93231fbe5137e7be605277ccf75f9acb5c01fe332bceb74393ee

Threat Level: Likely malicious

The file 4a6997ddb679ba971b941cad2c32c409 was found to be: Likely malicious.

Malicious Activity Summary


Blocklisted process makes network request

Drops file in Drivers directory

Checks computer location settings

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 04:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 04:15

Reported

2024-01-08 04:18

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hîsts C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe

"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"

Network

Country Destination Domain Proto
US 64.62.191.222:1234 tcp
US 64.62.191.222:1234 tcp

Files

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

MD5 fc2fcf4351f2aded0dada73e9f8d576f
SHA1 7b6e794c9366485a36e06eafb01d0f4a4d8691bf
SHA256 b0836c3e971d44ab408e6a809a891c3818ee80329f26af232295ef8518c9ba91
SHA512 4c673179d008c12685d282429afa89f477306624c473cc9475b90e09b58a69eee871cb26533d11f6c39c15a3693dd28ee3684dfed737f0b65c268842d1c24331

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

MD5 7e250a4c3a7a6449119c02ffa9152fb3
SHA1 3d9e376ebd79cdcdf4545d2517e24bf4cc0ae3e5
SHA256 572ccd595ec789cc3c56de893214e2b102aaade4cf791b1df1a9d5d478343ce1
SHA512 ffa60a58dffeb27f9aa50e2e203ce817ec7af4bc29bb50cbe47e21ffa15d68afb15d517140ac1242e6604588adc3a205f0036eb2a45008d5d153e721a695fc17

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

MD5 d00588d055e55ec3c9b932160f5d8871
SHA1 4ab42990617c4a65186da8b02c0029b38a4d6022
SHA256 ad14702ab903328311dfa29ac20ea72344153a92d4c5e26f46fa00b8c244f1aa
SHA512 fed047bd84641dfb44c4093e24f3e983f7f69f9e604bc1dae4156daf3b395855fa0d32f611df216cc05c599f0f7cf7daf5bb9da781a5890328d5bb1c83db8e91

memory/2732-34-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 25ee27baa31c59fdf6cf5d18955ef985
SHA1 51d4725afa6d997cb7347c60a7d17485a8fb2ea7
SHA256 75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d
SHA512 8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

MD5 7d94f52916ecca6d3c68eb13ab68a2ab
SHA1 f40da9aa43d2208ab2ca0c0792572588b5f54c02
SHA256 354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a
SHA512 c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 04:15

Reported

2024-01-08 04:18

Platform

win10v2004-20231215-en

Max time kernel

118s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hîsts C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A
File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe

"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 64.62.191.222:1234 tcp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

MD5 fc2fcf4351f2aded0dada73e9f8d576f
SHA1 7b6e794c9366485a36e06eafb01d0f4a4d8691bf
SHA256 b0836c3e971d44ab408e6a809a891c3818ee80329f26af232295ef8518c9ba91
SHA512 4c673179d008c12685d282429afa89f477306624c473cc9475b90e09b58a69eee871cb26533d11f6c39c15a3693dd28ee3684dfed737f0b65c268842d1c24331

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

MD5 7e250a4c3a7a6449119c02ffa9152fb3
SHA1 3d9e376ebd79cdcdf4545d2517e24bf4cc0ae3e5
SHA256 572ccd595ec789cc3c56de893214e2b102aaade4cf791b1df1a9d5d478343ce1
SHA512 ffa60a58dffeb27f9aa50e2e203ce817ec7af4bc29bb50cbe47e21ffa15d68afb15d517140ac1242e6604588adc3a205f0036eb2a45008d5d153e721a695fc17

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

MD5 d00588d055e55ec3c9b932160f5d8871
SHA1 4ab42990617c4a65186da8b02c0029b38a4d6022
SHA256 ad14702ab903328311dfa29ac20ea72344153a92d4c5e26f46fa00b8c244f1aa
SHA512 fed047bd84641dfb44c4093e24f3e983f7f69f9e604bc1dae4156daf3b395855fa0d32f611df216cc05c599f0f7cf7daf5bb9da781a5890328d5bb1c83db8e91

C:\Windows\System32\drivers\etc\hosts

MD5 d522d58d2ab9e3fdd5fd3aec12a8bad2
SHA1 fa704195b34b3e1ace0f95f84f11f3cab5cbdf49
SHA256 90b4c666960d57fb5ce4919b5d6971bcc831e08a427b64882af6e61f8f9173c6
SHA512 1a95e8eed098af568f2d4cd25ad73313e9b9795ade0c91349b4a262a0af1291bbf5ad3aaf03c508d44e6b5a82ba98e910a0a9de0b6428cf45e4020711003bdc3

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

MD5 7d94f52916ecca6d3c68eb13ab68a2ab
SHA1 f40da9aa43d2208ab2ca0c0792572588b5f54c02
SHA256 354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a
SHA512 c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

memory/2480-35-0x0000000000400000-0x0000000000432000-memory.dmp