8179db361cc24328f29591fc7f2c930185b4541d5ebfa3f53fb8bcb1dc0dcfa7

General

Target

GOLAYA-TOPLESS.exe
Size

238KB
MD5

43fe764bb0d948ccae24fcbd8ac7c17e
SHA1

5f787deaec858095f6894f892b71b7e03a05d106
SHA256

f5c517c991353a148cea7f08bdb6e9eb34abc7e2fe98e25ae99dbd9f9a951aff
SHA512

e985b9f2bc813d66f2cd2a3b5e31a5dbf9e23f8046719e39657acd8b50554f6de2dce104d78ca5436a007c157bb4cc60d0c6355df9748271be5cfddfc2178b0d
SSDEEP

3072:jBAp5XhKpN4eOyVTGfhEClj8jTk+0hsquxV/hvdG+Cgw5CKHm:ObXE9OiTGfhEClq9XqK/hvxJJUm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

3 2620 WScript.exe
5 2620 WScript.exe

flow	pid	process
3	2620	WScript.exe
5	2620	WScript.exe

Drops file in Drivers directory 3 IoCs

Processes:

WScript.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

Processes:

GOLAYA-TOPLESS.execmd.exe

description	ioc	process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

GOLAYA-TOPLESS.exe

description	pid	process	target process
PID 804 wrote to memory of 2260	804	GOLAYA-TOPLESS.exe	cmd.exe
PID 804 wrote to memory of 2260	804	GOLAYA-TOPLESS.exe	cmd.exe
PID 804 wrote to memory of 2260	804	GOLAYA-TOPLESS.exe	cmd.exe
PID 804 wrote to memory of 2260	804	GOLAYA-TOPLESS.exe	cmd.exe
PID 804 wrote to memory of 2620	804	GOLAYA-TOPLESS.exe	WScript.exe
PID 804 wrote to memory of 2620	804	GOLAYA-TOPLESS.exe	WScript.exe
PID 804 wrote to memory of 2620	804	GOLAYA-TOPLESS.exe	WScript.exe
PID 804 wrote to memory of 2620	804	GOLAYA-TOPLESS.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
PID:2260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat
Filesize
1KB

MD5
b037a7092246f8d56a207597154371cd

SHA1
3677576138ea2351f632ef4a29f95104d8c7f7e2

SHA256
b12531b23328b882c2576cd0e227eae6cc545293ea74042722a8100ea6af63fd

SHA512
866c8200bb7becd02cf92152d92f00ba3c618ef306c44c51ccdfb05865153b7eada9ec93bdd3c9203716f4fc96dce2c8d203ea6270f03abd935a2fa865f9efa4

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog
Filesize
106B

MD5
74305d205702e48e96da6265224b456f

SHA1
387686c3598b5d9bb084f1597aeb3c1687b8b001

SHA256
afc5e57f3536cc17c46c377efe3746f80079b1917597bb3430298ddb570a3faf

SHA512
67fb29190052df27d2a5166a9de5233b64037aac5d00cb31c986850bfcb91f6df8927aa76140dcb126cd8f82eb8dc6c5aaef87816ec5505f176ff62286fafdf0

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs
Filesize
1KB

MD5
0fb71731025e52071e42902e8e5d6dca

SHA1
aac6bed86ec6cca26fba46fef6c6cb6669906303

SHA256
772d47e02f430cc82989149e6ec08f93e8a52447cf075e49a910a5123530d5d9

SHA512
e7567abcee0f5c6c27222491f93974e54487c131185deac5406d2a54292b01f0928b357966430f4354e59c7f14f4cf612d72575dbda4f18fbbb697bdb51493f7

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
07747e26ea3ffd06b1e9825864be253c

SHA1
97b8ae03f2a4835ba0cef297bd1582aa2eebb983

SHA256
13e54f2ba2925d259803f92c44c26c3b1739f6340087475159bb140eed3a2f32

SHA512
619747f33df62d66437c874ba60ed33c8a178127ea763388b816bf7b3e332e94c612f6360fd23e008256c73b70b4660278578c2758ad09ae544e10736f8d6b8d

Download Submit
memory/804-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/804-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads