ad36375e1b1d0291ac090e95586a9a73d48252fdf6694f5ab43fdb14389440e7

General

Target

GOLAYA-RUSSKAYA.exe
Size

239KB
MD5

d141270ed4ca25be1fd7cd61f1d91f1a
SHA1

b5860a78425caa29e00f575de4bcf8dc3314e966
SHA256

eeb248baee68277a58652fa4a8a5c55357027be32389f6fd01c73bc4c3a1b8fd
SHA512

510814a7ad4416d39372f347b774cb7170900a7fc6e7eb07f84212f861a586b406964f3599bd3533a9884c891fc75335eb7daaa562fe1e60ef2f3b7a7f85b110
SSDEEP

6144:dbXE9OiTGfhEClq9npor2Iw7Wuq1IOlWJJUK:NU9XiuiSoTlc

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	408	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	GOLAYA-RUSSKAYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.normik	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\Uninstall.ini	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\3.exe	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt	GOLAYA-RUSSKAYA.exe
File created	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs	GOLAYA-RUSSKAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	GOLAYA-RUSSKAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 2252	3648	GOLAYA-RUSSKAYA.exe	84
PID 3648 wrote to memory of 2252	3648	GOLAYA-RUSSKAYA.exe	84
PID 3648 wrote to memory of 2252	3648	GOLAYA-RUSSKAYA.exe	84
PID 2252 wrote to memory of 408	2252	cmd.exe	86
PID 2252 wrote to memory of 408	2252	cmd.exe	86
PID 2252 wrote to memory of 408	2252	cmd.exe	86
PID 3648 wrote to memory of 4948	3648	GOLAYA-RUSSKAYA.exe	87
PID 3648 wrote to memory of 4948	3648	GOLAYA-RUSSKAYA.exe	87
PID 3648 wrote to memory of 4948	3648	GOLAYA-RUSSKAYA.exe	87

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\snova holod\beskonechnaya\chervyak.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\dobit.vbs

Filesize
258B

MD5
4f13c561e8c1a666e912afefd7cf758d

SHA1
9cfd5e512bbc2be7ed670f85a731d97a83c71077

SHA256
ebb4b61362f29913fab27388fbd70963155333eee1cb4e94110730c82d4eab40

SHA512
e7395661df1e81db2575900162112020dd5b6e82debb1e9c419c4399bab92d1ddbb50d0f33f9df54716c7c9398e86013cdfac82f4c2ed0e7e756f068679f3d54

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\kak_zima.bat

Filesize
2KB

MD5
8e4cd8a7063f4201664b9e3118aab994

SHA1
d7a1f5b5248fd7ecad26c92f1cf12ae5e7fc1d59

SHA256
be7aabfc7c5cd64d6d5b2d0ca973809290f9f829959a2858bfec2c2d943a8f31

SHA512
9ab618876d2aa8275a321f281e46777d7882de6737bdd22fd55991a024f920b9b691df84e7d5c1d0dcf31e514d216d8251b457628103009927b5460c5e754cf6

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\prihodi_ko_mne.vbs

Filesize
697B

MD5
8b8766e88c5be7e0313dfd7b0805f1e5

SHA1
762adb329dec6ab328aa9b8d103845454a728952

SHA256
5e2af02f511518cf584407fa7aace6c56670941f4e8aa96ff6f010a21202e29a

SHA512
952010a4bcea053e341a956bfd3bb45078993dcc521932b2eee98354e3457017f09213dfc463ab6b34bc1d5b2321e2ec78b63359bb49affff45bd6671f2a5753

Download Submit
C:\Program Files (x86)\snova holod\beskonechnaya\snovabudet.axui

Filesize
55B

MD5
eebc9086a079af7f6d895c462a250982

SHA1
413f00b078361100962d5b048eee0f3c86c27fcd

SHA256
761b89d1fd5256fb7bf7fd12ad675776de419ad419c1e5e211ad4784eff80d44

SHA512
bfa9e27ea406a7f101badb7e65fb9ffa2ead70d8ef217206184c49385160f7536ae745b66e00e3ee4f549876b689c787c8857614e93b6e096c5ef25d4e68e801

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
acbd4b39fdc4bc63b1de2aad13d2cfe7

SHA1
435836c54fbfa7683bf2c34328f4646bdcc48704

SHA256
ddc5edc708c85159ee0888d15bd029986d6a0d0a2dcfe8b33411554e2855fbb7

SHA512
b217361ea508a7faa2587872e24e81808e180759ddcddda061b3ea3a36d2f7b77c903be3e89b1afc612bc6ab0f7584a35622f5bbb62c5c013a4b8adfdc916377

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a93296f8c62ab96271667c72d7a3b3

SHA1
abcf5a6ed773cfc978fc2176138778ad406c188a

SHA256
f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

SHA512
f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

Download Submit
memory/3648-49-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing