Overview

overview

8

Static

static

3

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    238KB

  • MD5

    43fe764bb0d948ccae24fcbd8ac7c17e

  • SHA1

    5f787deaec858095f6894f892b71b7e03a05d106

  • SHA256

    f5c517c991353a148cea7f08bdb6e9eb34abc7e2fe98e25ae99dbd9f9a951aff

  • SHA512

    e985b9f2bc813d66f2cd2a3b5e31a5dbf9e23f8046719e39657acd8b50554f6de2dce104d78ca5436a007c157bb4cc60d0c6355df9748271be5cfddfc2178b0d

  • SSDEEP

    3072:jBAp5XhKpN4eOyVTGfhEClj8jTk+0hsquxV/hvdG+Cgw5CKHm:ObXE9OiTGfhEClq9XqK/hvxJJUm

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:2956
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops file in Drivers directory
      PID:224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat
    Filesize

    1KB

    MD5

    b037a7092246f8d56a207597154371cd

    SHA1

    3677576138ea2351f632ef4a29f95104d8c7f7e2

    SHA256

    b12531b23328b882c2576cd0e227eae6cc545293ea74042722a8100ea6af63fd

    SHA512

    866c8200bb7becd02cf92152d92f00ba3c618ef306c44c51ccdfb05865153b7eada9ec93bdd3c9203716f4fc96dce2c8d203ea6270f03abd935a2fa865f9efa4

    Download Submit

  • C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog
    Filesize

    106B

    MD5

    74305d205702e48e96da6265224b456f

    SHA1

    387686c3598b5d9bb084f1597aeb3c1687b8b001

    SHA256

    afc5e57f3536cc17c46c377efe3746f80079b1917597bb3430298ddb570a3faf

    SHA512

    67fb29190052df27d2a5166a9de5233b64037aac5d00cb31c986850bfcb91f6df8927aa76140dcb126cd8f82eb8dc6c5aaef87816ec5505f176ff62286fafdf0

    Download Submit

  • C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll
    Filesize

    1KB

    MD5

    0fb71731025e52071e42902e8e5d6dca

    SHA1

    aac6bed86ec6cca26fba46fef6c6cb6669906303

    SHA256

    772d47e02f430cc82989149e6ec08f93e8a52447cf075e49a910a5123530d5d9

    SHA512

    e7567abcee0f5c6c27222491f93974e54487c131185deac5406d2a54292b01f0928b357966430f4354e59c7f14f4cf612d72575dbda4f18fbbb697bdb51493f7

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    b4434980101442bcce3e0b0f6d12d743

    SHA1

    1a68111eba898c9b337b1dcd8cd803e339df5335

    SHA256

    9e8f7c183744c28ee7e84f2804a12185b1d330e25a929dd71c1adee6f6dbfb93

    SHA512

    86fc9e287d669446159989e463774cba0a5105c5394231782f41fd61cb41647ab48b4d773de11e06538721c4b10900548ac328e38fbfac217927dd9f9fdf9941

    Download Submit

  • memory/2496-39-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2496-41-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download