Overview

overview

8

Static

static

3

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 10:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    149KB

  • MD5

    ccca394b1369e766c53346550b481c57

  • SHA1

    47dccd3fc9b7bf7c98f75fa11725089d5a977b4c

  • SHA256

    211901e1229d7b816754146ff8d7167e8a92211afe63dc44eb8056d0b054a12a

  • SHA512

    98625c9dd7cc8b57609ce20f6f295dc8704a75b49cde806ddbbb040cf3832028425bed0cd0da0c501508fabd2cdc59cd1717fa948362281848ed4ba798990712

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hisUwxgTpLnNq:AbXE9OiTGfhEClq9TwxgJn0

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4284

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\salst\ogurets\all3.vbs
          Filesize

          358B

          MD5

          559c8ec72bf701870603c0f79907234c

          SHA1

          f3a809dee961f1f3d6c5c384596504981273fd77

          SHA256

          51611da1f1bedbfc97fa015b41bc5e5ebfe61b8eb2aca050d440c642dd0c41c6

          SHA512

          6616f4ac087e1b9e6f1bff0e5d844e316cddd5a2409e97b88118410475ab1bb544d59d6006940f74cad176470bc58112608d2b7bc01e71f0b232c6cdfa551a6a

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs
          Filesize

          826B

          MD5

          b0350182dcd735cf07e9c501cff5e7a1

          SHA1

          6dc80006d0d6e0e1d136826ab0e2a6c9bc61b950

          SHA256

          9659ca4ab0f584f9f3bbb5135eb0d12ebc3d24cbbdc719c7d7338f59d401f410

          SHA512

          3ba96b3082f3a98a3adc452d1f52284bd49b2d035f0fbe960738324b624b8e2a70254bbed7a7f0d29ff6f5cd756f01f29d3fbba75419d9ed652879cdf79312ea

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\podkati.bat
          Filesize

          3KB

          MD5

          a131962527d3b919e7c23267a2b0cdc4

          SHA1

          e7d2e84d765b7c2011bb91c78c93da33227dcfc8

          SHA256

          72375ee539442bf129b7ad6c3dbc68728b16a2106cef403000f26a833dd12322

          SHA512

          cfd69e3b434c9b4262b929b02e7616151f2960df56cc632f8c0e4d6e3a2f724c34db7d71e1bc984bccd9cc0a39a77e6da86cc4d675c2af0d3ae09bf981694cbc

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\polenolll.pof
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Program Files (x86)\salst\ogurets\stuckja.jol
          Filesize

          64B

          MD5

          61391af0a6e3c8f6d08b46b623eb3c2e

          SHA1

          ffe8b74b2c5920b13fabd2f203ab2c6171be663a

          SHA256

          d0a90a49e36d502e4903b5062712bca9006ae0afd349d4e9a74789eb68189685

          SHA512

          f98bbbb3602936619714dcf787c3589948291e6e7a0c69f404e8b636a3c7ce608ac400b589b828f31270c550ef28f8a741fc40d8d018e28f0fe4512d50140180

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          d9a93296f8c62ab96271667c72d7a3b3

          SHA1

          abcf5a6ed773cfc978fc2176138778ad406c188a

          SHA256

          f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

          SHA512

          f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

          Download Submit

        • memory/4992-0-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4992-4-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4992-5-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4992-6-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4992-34-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4992-63-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download