Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 16:53
Static task
static1
Behavioral task
behavioral1
Sample
PHOTO-GOLAYA.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
PHOTO-GOLAYA.exe
Resource
win10v2004-20240226-en
General
-
Target
PHOTO-GOLAYA.exe
-
Size
180KB
-
MD5
55e47874ef9912a4309c4c90af7b67f8
-
SHA1
bda07533ed744d3c78ee34ab416d883504212e3e
-
SHA256
c3199ed5f9a3d4e51e4ff8287875a04a91602e348dcef11c403e90d96eea59f7
-
SHA512
d01550350e18c0507e8f45e1a970cfd6bfa910c2a334fe65ffc26f7347e9b967906a950bd6918fa2c19aebfdf087f2f82bf3a47e96af1ef903697d3672edad36
-
SSDEEP
3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0h6ejmo:+bXE9OiTGfhEClq9dejD
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2732 WScript.exe 5 2732 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs PHOTO-GOLAYA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2668 3068 PHOTO-GOLAYA.exe 28 PID 3068 wrote to memory of 2668 3068 PHOTO-GOLAYA.exe 28 PID 3068 wrote to memory of 2668 3068 PHOTO-GOLAYA.exe 28 PID 3068 wrote to memory of 2668 3068 PHOTO-GOLAYA.exe 28 PID 3068 wrote to memory of 2660 3068 PHOTO-GOLAYA.exe 30 PID 3068 wrote to memory of 2660 3068 PHOTO-GOLAYA.exe 30 PID 3068 wrote to memory of 2660 3068 PHOTO-GOLAYA.exe 30 PID 3068 wrote to memory of 2660 3068 PHOTO-GOLAYA.exe 30 PID 3068 wrote to memory of 2732 3068 PHOTO-GOLAYA.exe 31 PID 3068 wrote to memory of 2732 3068 PHOTO-GOLAYA.exe 31 PID 3068 wrote to memory of 2732 3068 PHOTO-GOLAYA.exe 31 PID 3068 wrote to memory of 2732 3068 PHOTO-GOLAYA.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat" "2⤵
- Drops file in Drivers directory
PID:2668
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs"2⤵
- Drops file in Drivers directory
PID:2660
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs"2⤵
- Blocklisted process makes network request
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD503e9683ed6157dfeaada0e7d5c55a409
SHA1878dba26d22b3b4c47a5dc13e4a68ad63f07d2c6
SHA256cce51b8541d079175b37f9b22902f85f27c9de03b5466dcfe7a82daa14b15e4a
SHA512699b5cb531dc55dc0b9c01a1ba65bdfcc7ea858c8f7a7005aadcd0bea7be0da9670bae1142cabf90e4ad1b91ff9ca2c28fe60853a28f7cc878d51ee5a6d34dfa
-
Filesize
832B
MD509ea7ee88b7a890a2058d2f52c2b4f5c
SHA10fccc6f49a845e3442699f3ad94dc832a4d5fed4
SHA256a280900950d0e042ce530253cecbe8cc935c834cc0f59ed44fc6df2997d46cd7
SHA512506d425c629be0422a3e8ad54929009896ee6c207c930efeb44f4c0c1eea2d1cea1e47e7da62c5de22b4c678e807db625eb422e5d99f4398429bcc33771dc50f
-
Filesize
620B
MD5ebf109802b6133561dd4104d30b7dd13
SHA1adcd1ac47883bdad5936aa4080ba59591ff89e53
SHA256c89ededbc38e21b8adb80620fca77cda32b981dee039b64ef76b73388b742750
SHA512ab91d5b87d49e02ad915c697747da134986523a4ee3a3f67e230f522334dbee1feb9f92184e03d346309793d6812c0710e8f82a3e1477d7997e74c9922500ae4
-
Filesize
34B
MD5aa5511a167a67e429a9fdf3ac25bce0e
SHA18ac961be922cdc3314ed342e809d68637e9ea1f2
SHA256bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665
SHA512736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10
-
Filesize
1KB
MD525ee27baa31c59fdf6cf5d18955ef985
SHA151d4725afa6d997cb7347c60a7d17485a8fb2ea7
SHA25675daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d
SHA5128a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e