5932c40633f064d040034a12bcddc56ca708116df6722903dee7e9a26c27b9e7

General

Target

GOLAYA-SEXY.exe
Size

180KB
MD5

60cbfc2f232c3190b9772c91d643e1ef
SHA1

a3faa948e0bb149845b14b9e8d99bbf834893d52
SHA256

405b0ed35de635046a977e7cb4a17c709d9471169fac1a493cfa4995497b2783
SHA512

d9ac65966310962dcf173d0d24cb09e1b0201a1b558ea4904056c05bea1c3d2215a191de6acca12475e12ecdf988781ce94238de2e12b0c5f6e880379e2e9633
SSDEEP

3072:OBAp5XhKpN4eOyVTGfhEClj8jTk+0hJiaqR//1Wcjej5EqhnBWz9T6M39rI2S:lbXE9OiTGfhEClq9mqR//1Wcjej5Eqhr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2568	WScript.exe
7	2568	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs	GOLAYA-SEXY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2620	3052	GOLAYA-SEXY.exe	28
PID 3052 wrote to memory of 2620	3052	GOLAYA-SEXY.exe	28
PID 3052 wrote to memory of 2620	3052	GOLAYA-SEXY.exe	28
PID 3052 wrote to memory of 2620	3052	GOLAYA-SEXY.exe	28
PID 3052 wrote to memory of 2564	3052	GOLAYA-SEXY.exe	30
PID 3052 wrote to memory of 2564	3052	GOLAYA-SEXY.exe	30
PID 3052 wrote to memory of 2564	3052	GOLAYA-SEXY.exe	30
PID 3052 wrote to memory of 2564	3052	GOLAYA-SEXY.exe	30
PID 3052 wrote to memory of 2568	3052	GOLAYA-SEXY.exe	31
PID 3052 wrote to memory of 2568	3052	GOLAYA-SEXY.exe	31
PID 3052 wrote to memory of 2568	3052	GOLAYA-SEXY.exe	31
PID 3052 wrote to memory of 2568	3052	GOLAYA-SEXY.exe	31

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
adfa3504726c370d71cd5cec4d6a85f6

SHA1
b8fc46a426e0cc75dcd64aebecd46b946c19e2b3

SHA256
02d9bf62a462c7c5605be837932cacd8db47952c052d87d0ae6b6981b3b474da

SHA512
b6d29d871d3fc2c2d89a80881f6d1e5b56311edf031a8092391b67574258217148334bd413fdccd82ad71ed9f4a3b457a1f01f27f4c576715ed8ca7dfe4d4697

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs

Filesize
916B

MD5
67e1d51993ed12432fd75fd20092a917

SHA1
c08fbfb72aad721c0d6e2462b95f4791aaf254b7

SHA256
51e3215c072e2736d8e0f0dfb214576ebe9be0d65fbad14da390b22bc1174398

SHA512
35ce72b6de2e3cab059245529770e100527afcaada2344a88ba01a4e3ffca7dab372d88515a82fa4465961a6552460f9e6951fc377f6e4422881023f96ba19df

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs

Filesize
659B

MD5
01f4fe67b1f826d41ec440ec43256da9

SHA1
4ee7038e44a2e8387b1f7247ecb2c50a9af040d7

SHA256
4d06cd27e90aa2089d95d95e2277eae858861b084f8d066c5616121c79e861b5

SHA512
1ca9f4eb2bd16de93561b094f58259fdd94d6b227a57d2a218919acf24da124f6974eba3ebb1d65ed4d1a4fe0a871661dbc227eac83836aed0678ae9bfb9d22d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
25ee27baa31c59fdf6cf5d18955ef985

SHA1
51d4725afa6d997cb7347c60a7d17485a8fb2ea7

SHA256
75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d

SHA512
8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

Download Submit
memory/3052-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing