39ee4603593626c007c699d2938fd48a32f19c3362d41bab6a438395f0883350

Analysis

max time kernel
0s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-TOPLESS.exe
Size

240KB
MD5

934d29283079d878fae23838ff5d156b
SHA1

773c0ba664625a4030af3b8ea321de5ee0e029c6
SHA256

fe9d78c0c394e248da57fc5693fe5cb0a759489c93ae300adef582f1069413c6
SHA512

d410f0196092ad17a00496a587cd135e610efd6af47091731be9040d9426e2d24641e5989dc753d4e9d7ba3f126f8f2ce467f006c303a659cfb8495c8c119fc2
SSDEEP

3072:4BAp5XhKpN4eOyVTGfhEClj8jTk+0hnbGsthRX1Tr+Cgw5CKHe:vbXE9OiTGfhEClq9uLhjyJJUe

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\Uninstall.ini	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2160	2024	GOLAYA-TOPLESS.exe	21
PID 2024 wrote to memory of 2160	2024	GOLAYA-TOPLESS.exe	21
PID 2024 wrote to memory of 2160	2024	GOLAYA-TOPLESS.exe	21
PID 2024 wrote to memory of 2160	2024	GOLAYA-TOPLESS.exe	21

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs"
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat

Filesize
2KB

MD5
806ae060c82c3de9e0117b7291b6bb3a

SHA1
bc9050e4acf88ef35c53a4c2f6e0499d2fc1d896

SHA256
a221c4308650abbcc41949592e0898e2fca9e6c24811b11525fb32900aeeca30

SHA512
12093a2ae94f8c59df40eb1c18c3c4b739f8d9a1004f9bfc33c5b55cf8543d77037fdc45a417d06d86a13015e1153314e024dd83bb99cea73f1c0c947cc1a551

Download Submit
memory/2024-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download