Overview

overview

8

Static

static

3

PHOTO-GOLAYA.exe

windows7-x64

8

PHOTO-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    180KB

  • MD5

    55e47874ef9912a4309c4c90af7b67f8

  • SHA1

    bda07533ed744d3c78ee34ab416d883504212e3e

  • SHA256

    c3199ed5f9a3d4e51e4ff8287875a04a91602e348dcef11c403e90d96eea59f7

  • SHA512

    d01550350e18c0507e8f45e1a970cfd6bfa910c2a334fe65ffc26f7347e9b967906a950bd6918fa2c19aebfdf087f2f82bf3a47e96af1ef903697d3672edad36

  • SSDEEP

    3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0h6ejmo:+bXE9OiTGfhEClq9dejD

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:4732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1356
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat
    Filesize

    2KB

    MD5

    03e9683ed6157dfeaada0e7d5c55a409

    SHA1

    878dba26d22b3b4c47a5dc13e4a68ad63f07d2c6

    SHA256

    cce51b8541d079175b37f9b22902f85f27c9de03b5466dcfe7a82daa14b15e4a

    SHA512

    699b5cb531dc55dc0b9c01a1ba65bdfcc7ea858c8f7a7005aadcd0bea7be0da9670bae1142cabf90e4ad1b91ff9ca2c28fe60853a28f7cc878d51ee5a6d34dfa

    Download Submit

  • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs
    Filesize

    832B

    MD5

    09ea7ee88b7a890a2058d2f52c2b4f5c

    SHA1

    0fccc6f49a845e3442699f3ad94dc832a4d5fed4

    SHA256

    a280900950d0e042ce530253cecbe8cc935c834cc0f59ed44fc6df2997d46cd7

    SHA512

    506d425c629be0422a3e8ad54929009896ee6c207c930efeb44f4c0c1eea2d1cea1e47e7da62c5de22b4c678e807db625eb422e5d99f4398429bcc33771dc50f

    Download Submit

  • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs
    Filesize

    620B

    MD5

    ebf109802b6133561dd4104d30b7dd13

    SHA1

    adcd1ac47883bdad5936aa4080ba59591ff89e53

    SHA256

    c89ededbc38e21b8adb80620fca77cda32b981dee039b64ef76b73388b742750

    SHA512

    ab91d5b87d49e02ad915c697747da134986523a4ee3a3f67e230f522334dbee1feb9f92184e03d346309793d6812c0710e8f82a3e1477d7997e74c9922500ae4

    Download Submit

  • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot
    Filesize

    34B

    MD5

    aa5511a167a67e429a9fdf3ac25bce0e

    SHA1

    8ac961be922cdc3314ed342e809d68637e9ea1f2

    SHA256

    bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

    SHA512

    736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    2296897b43ba3d81a95d621853e0ef3d

    SHA1

    bd479992fbe2ec2145b295be5ab9ef8e317ea333

    SHA256

    078d83575dfe7286ddc05b29032dcf3de76d74cae149d94163fddf83c1f5df49

    SHA512

    ab9a82da93b1c4e89dd7b40ca5a489b4cbee366c2d5f0ca40c810248efcf32ca6c86abdc46fafaa838eaa5ea607740ac85bdda89f212c3669418ccd7d3e8619c

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    7b561e5093eb943dbad98e4e1c72f91a

    SHA1

    f9174925f52ee2c7d0e09bf4993d7b12c6d268bf

    SHA256

    60e809d41d5772e3e7b2555ab949160c831e889fb7eb99cc95baf201f0657212

    SHA512

    69487f6d604e8d47ece431439a147e1672a185c90a132649c30a3540458d331eedc9923c24fe8261f811602573f830d2f4ce99d716c0906d72ce9374d8acb78a

    Download Submit

  • memory/3592-26-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download