Overview

overview

8

Static

static

3

PHOTO-GOLAYA.exe

windows7-x64

8

PHOTO-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2024, 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    239KB

  • MD5

    2b39981352a5356af3c6ef0f147e38d0

  • SHA1

    06d295b726af54cfa5fff54884a775349e089e77

  • SHA256

    f79f92660dffba6030e27b31734b990fdf1c3ac84805cd0757a889e4909cbd3a

  • SHA512

    1a28c51973a67d62f0e12ee51445fce6f5c830c10da70323daa5ce3568600a0fa59e9f188b154250af6c933f8e748cfc5932d757baa8056ab340a0ad43a1ff1d

  • SSDEEP

    3072:JBAp5XhKpN4eOyVTGfhEClj8jTk+0hqIgMKTNRfE+Cgw5CKHK:MbXE9OiTGfhEClq9nlNPJJUK

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:2724
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops file in Drivers directory
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat
    Filesize

    1KB

    MD5

    9035b833c805a3c4cd6d9d5f12518415

    SHA1

    fc703a4a33f2e87cdca3653fe283c724b6bf2e88

    SHA256

    580c52daabc37afbfa437934bfe0459147acd387ad55e4a2435d984c98a9ee3c

    SHA512

    aab62152a9da71399498f10ffb8f8a7d69bb2a0125f6c2377ee5973c3a3a5d1eb6952790ec44ca94f3f14c92eb5cf3a86a9ad6001b445bd2f1ea36a38149de40

    Download Submit

  • C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua
    Filesize

    1KB

    MD5

    70f82479add509725394fab75b5507c3

    SHA1

    3eed208a455295f19df8aafe74fc69980d283281

    SHA256

    305e34e742e111ae36b2f9dfe36e7461a392f4672efce52767b117fa98a37c3b

    SHA512

    59b2d8c62f659b1ab4757b200c787a1ef237c76bac1d21538ec77f38c55b0f04a6a59cb1e88ce4f27d740fabdc4ec0672d31be978bf5ef1e826ba730e30f9b9b

    Download Submit

  • C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro
    Filesize

    106B

    MD5

    74305d205702e48e96da6265224b456f

    SHA1

    387686c3598b5d9bb084f1597aeb3c1687b8b001

    SHA256

    afc5e57f3536cc17c46c377efe3746f80079b1917597bb3430298ddb570a3faf

    SHA512

    67fb29190052df27d2a5166a9de5233b64037aac5d00cb31c986850bfcb91f6df8927aa76140dcb126cd8f82eb8dc6c5aaef87816ec5505f176ff62286fafdf0

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    8aaf3ecca37a8919fc3d03fd8afccff5

    SHA1

    ec7cec657f482fdaba785fc33e487816d8292e5e

    SHA256

    8f33ff8bf0e1ce50e9d82e003e9c541c31381ab6b64b1e003cae60394fbf8e9c

    SHA512

    ee5f7aa0536266e55733fc72ba0ccdfa1340a8885a3d8dbcbb22b8ebc6853541c70ade83f036a2d411956b98e9354ae81c5a132f0b576725c8a0676e76b2bba7

    Download Submit

  • memory/1856-44-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1856-48-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download