Overview

overview

8

Static

static

3

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2024 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    149KB

  • MD5

    082651eefe9806f50fb938f393148d45

  • SHA1

    61817d9547cbfc0490511c8599261b62adbc61fa

  • SHA256

    dd854c4d604f2add306b0e004097c9fb897b4107f02407d4b521abbc22919bbd

  • SHA512

    3c8cd68bd19fb0fbb40ed1a5f53d7f83f152c4aced62e137bd7771303da26a4e74ce2648958909f2f92506ea2508665d7139a11b0568740104df87b68bcaf994

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiIvh5iBZ:AbXE9OiTGfhEClq9SE

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4372
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\salst\ogurets\all3.vbs
    Filesize

    299B

    MD5

    399aafbff20b97ae2c6119061d41cbd0

    SHA1

    3056f90e2696e9564c9a3419cc7a7c03ef14b429

    SHA256

    898eebf1486b8d382f0001cec8604b4711d21e3015334bd5a49f60d39ebdc1fe

    SHA512

    85627296a59270aa783bf64d55d2560d9ee18eaa9de88deae4b8170581bd18450f53bfbbd9bdb6ec3a99ac8a06545252a1b10a13fa3584bb75dae4f917ed1606

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs
    Filesize

    744B

    MD5

    2b3d8e8acf083e55fdbaa04a313e082c

    SHA1

    d472ce8d0786478cc1f5bb1b8d9ba9085fc3ade3

    SHA256

    f75b5d1d65c4668e1c9833d7ef4dcd04013d7f1e52f80b579011cf12ba6f0846

    SHA512

    055609e1ac6e2824f5d02082e4da0995c7c1757543003cd5aa134adbf344c4c52d6d5361c909c9163dd017bc5fe6f52a5c47dc235ae77df31da8dc1bdd5a6085

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\podkati.bat
    Filesize

    3KB

    MD5

    32476fdee702c96f10c2bf839d4999ea

    SHA1

    6eba74027756760c7a3b22957efc215fbf9871e5

    SHA256

    78a635131e9f79f01185e120ecd29fb09260b56b678fccd3b23245fac2b673d3

    SHA512

    a5b73557a2293aff4b3d0e5a2f185af54abdda68ea40b5f167271da91e32f199af06bc60a6d6da4faeef960bf9844b538788745bf4c5a590807081cb6f280234

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\polenolll.pof
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\salst\ogurets\stuckja.jol
    Filesize

    51B

    MD5

    2f3e6a7cead939112e164924c1f10781

    SHA1

    33cd402d053f7597c1b825892929295e6834c35c

    SHA256

    9e32bfeb04a302900d18c7dbed95d648b766741a387001a1ef6ce32276c73136

    SHA512

    9005e318a904b7880f43e568230fd38e5a75d20f30f48b25058dad74b17d94d02bde1dbf9ee0bb931e8748f05087ab8b2116e4c00de3d134abb330bc07044ff2

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    c525250576e43ebdf6e507f70d33692c

    SHA1

    54bc4847d056796f486969729db4052e36ee5b0c

    SHA256

    0b4bb2b098ae8a8f62afaacaec63be4e8ec282e19c3b596df26efc8acb9d7295

    SHA512

    a4bb591fa54a83e0eceb239fe7aa96e76511f4b045a0dbf21c700a51ffc53050160d69051b4ff6dd5877be411fefa11e6b44e97d6dbb397d0e4af08409e4ddf6

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    d9a93296f8c62ab96271667c72d7a3b3

    SHA1

    abcf5a6ed773cfc978fc2176138778ad406c188a

    SHA256

    f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

    SHA512

    f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

    Download Submit

  • memory/3644-55-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download