6c3e88878e236960e93bd1e693314be3404ca5fe793661eeb52b36deab40114d

General

Target

GOLAYA-RUSSKAYA.exe
Size

240KB
MD5

934d29283079d878fae23838ff5d156b
SHA1

773c0ba664625a4030af3b8ea321de5ee0e029c6
SHA256

fe9d78c0c394e248da57fc5693fe5cb0a759489c93ae300adef582f1069413c6
SHA512

d410f0196092ad17a00496a587cd135e610efd6af47091731be9040d9426e2d24641e5989dc753d4e9d7ba3f126f8f2ce467f006c303a659cfb8495c8c119fc2
SSDEEP

3072:4BAp5XhKpN4eOyVTGfhEClj8jTk+0hnbGsthRX1Tr+Cgw5CKHe:vbXE9OiTGfhEClq9uLhjyJJUe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2816	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	GOLAYA-RUSSKAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\Uninstall.ini	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	GOLAYA-RUSSKAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 4616	1540	GOLAYA-RUSSKAYA.exe	89
PID 1540 wrote to memory of 4616	1540	GOLAYA-RUSSKAYA.exe	89
PID 1540 wrote to memory of 4616	1540	GOLAYA-RUSSKAYA.exe	89
PID 4616 wrote to memory of 2816	4616	cmd.exe	91
PID 4616 wrote to memory of 2816	4616	cmd.exe	91
PID 4616 wrote to memory of 2816	4616	cmd.exe	91
PID 1540 wrote to memory of 4540	1540	GOLAYA-RUSSKAYA.exe	92
PID 1540 wrote to memory of 4540	1540	GOLAYA-RUSSKAYA.exe	92
PID 1540 wrote to memory of 4540	1540	GOLAYA-RUSSKAYA.exe	92

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik

Filesize
216B

MD5
41ffde2af2fa5859ce6aa839370d6d91

SHA1
ea6b40dee843fb2da5426cca128e56f26517dc43

SHA256
8ccbd7ab5ea149cbe5e8f6c02a83a051cd3af1fcbf13e0b119f3493794dfbdf2

SHA512
27d0a6d918b0ecce88fe9e80e4f0a9f04a904693670325feb774120ee96384e525edbc4289e6bc6e394398a464474cb824ef7b2fa9b54ee5e2251551645bf74c

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat

Filesize
2KB

MD5
806ae060c82c3de9e0117b7291b6bb3a

SHA1
bc9050e4acf88ef35c53a4c2f6e0499d2fc1d896

SHA256
a221c4308650abbcc41949592e0898e2fca9e6c24811b11525fb32900aeeca30

SHA512
12093a2ae94f8c59df40eb1c18c3c4b739f8d9a1004f9bfc33c5b55cf8543d77037fdc45a417d06d86a13015e1153314e024dd83bb99cea73f1c0c947cc1a551

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs

Filesize
741B

MD5
1310ee3d115fa438b2ad8a90adb248ad

SHA1
60cda736223211876c5d69238f9ec364359c5902

SHA256
d10e7fde0640490062b98d3d53f1cb65dc02906e90a0b4cc8b698eccc6c51e7f

SHA512
a8b4af726190118147dcdf87081859c987af2e709944bc4dd0009f88d44d3bfe78978a4fdfd87d03bd6e7a65e14d2be8ab54eb715cb5aa850635da6f556422bb

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui

Filesize
69B

MD5
337fd7f482967d86c608e11f07a2f086

SHA1
a7a9e3801775eb02f879a769ad306de48b402852

SHA256
199c7e48807b60549ad9146503628763eb09542dedfabb74fd5aeb7a0d52cfd6

SHA512
a8f6c886eab8ce09a8c30be2461e34e1d6ac787658aa9454757ccd8f7f9f5df82a6d749a7d5d0b17dadfeb1b65a87d0a66e5d9b3b4bd0ba030735eb67ddbef7c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
ce64e1461bb1b425684ec3b39735d1ef

SHA1
f435de655755e05d34b9eb24ad136ebc328e2ccb

SHA256
91745d5e9ec68a19625f2866b32b782f362ede0b544b1d2e665886b6df2dad15

SHA512
a6e00788da1541073627d2ea203a6e5581d7f9b0d958ff83f3af97a55768e23e3776c8cd1572b1426fc1c0e0f61e2afc08b9290b2468289b3dd5a0a7c2fa7a6d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a93296f8c62ab96271667c72d7a3b3

SHA1
abcf5a6ed773cfc978fc2176138778ad406c188a

SHA256
f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

SHA512
f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

Download Submit
memory/1540-49-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing