Overview

overview

8

Static

static

3

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 06:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    181KB

  • MD5

    3f3f35a78689a29a598c14a9fd9aa3c3

  • SHA1

    62c154bb8cbffc5eda9737b898fff0da0a59d0c7

  • SHA256

    b9da462914ae7cfe9f04e712d5a61569fadc10e36e337206f8cc47d199ca0631

  • SHA512

    748dba9c36ef0808f08e24963fce9f47538c8f619d7e2e8a65dc6f94d6b8ef8de49b158b778af3de96ce46d01b3c14f1042e3ae8a7d48e13e751965200faabe2

  • SSDEEP

    3072:xBAp5XhKpN4eOyVTGfhEClj8jTk+0hUEQT3/e:0bXE9OiTGfhEClq9rEQa

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\OnmywaytoHamburg.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:3836
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\all.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops file in Drivers directory
      PID:4872

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\OnmywaytoHamburg.bat
          Filesize

          2KB

          MD5

          219726ead7ab4b5fd8906be411f14392

          SHA1

          5650c6aebd15fffda59e65d5b5760605b3409614

          SHA256

          75519c25dad7ecaa62047a789d952d12e8e8a902e61ce19362f442735074e34a

          SHA512

          2b9d657e2f7a89aed41996f2094558632bb1a299a09e26a8d57aa2fb68ad02615c781a22ce03b659aa7fd65bbef3f005940bb87d924581a3cb8a2e9b6549deae

          Download Submit

        • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\all.vbs
          Filesize

          946B

          MD5

          5af7f7f00d85df5611cb9d578a85c7e2

          SHA1

          b9e4dcca49d20c5038f398716dcf5b351f88e3a6

          SHA256

          81e91d21dc66eb86c186b0fe8eda82c6f7cffa5d772c4a7bf168d9bbeb0a5642

          SHA512

          95335ec6ec9060f1b18928a11bd45e5110ba8114044bd1a0487dc09fa69c1ee821ea055252e6df54ce939da8c8f0eda9e672fd13308ce8fbf7f9de99b7b7ade0

          Download Submit

        • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\planningandinforma.tion
          Filesize

          74B

          MD5

          c49ee96be65e178e1c488189196f1afc

          SHA1

          afc3b8272565e3b3e12f583cc7a6dbb9f709be34

          SHA256

          f2f2a56426c9f282dc7786c412bc2c47e4892db75413ec65b4b86387e7df207d

          SHA512

          ebf493c06d3c2726ba935c0f202b8a46d87466c86654555ba2510dd573ef9477d58c12301103f115e362862e788335fba984cd6b582c38bb52c1bb2f867ba747

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          7f599db5118d13669d05c69e7c7e03ab

          SHA1

          6ba5333e3e7e4046a74bb73fbc8051acd8b47c7c

          SHA256

          cfe9611a359ba9b5b640bf9f978d935825644998387936fa05554eb9ec768be6

          SHA512

          bb8baa0a728cdc95d556f894272030c819589608d501f67c26726520110ec1deb91b31df0133320e32a3d34aa76bbd6fac148a0cbadaa379d644db03d4778ff9

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          c0805e6fff9d30c65b91bc9284beac8e

          SHA1

          45456e27d6632159ed7e4403caa1a16721c3b603

          SHA256

          53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

          SHA512

          34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

          Download Submit

        • memory/2940-37-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2940-40-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download