9c9249e2b1ba2e25b198031db6f05140b2a2b262e7d70868c04364d677cef16c

General

Target

GOLAYA-SEXY.exe
Size

239KB
MD5

04064e235ccba1b961f9bc91a2ad641f
SHA1

397300571dbcc187bcaec547b392f7a52d524bbe
SHA256

d90579eac17795a9b27b80ef069b7b6337f418b9ac28909f9bc602c5ed3a10df
SHA512

d30a7aa5d448169b161b647e11078c0cf1916b209d3358c320decd21b03836fbc457fcfbd68216aad04570c15981ef3484fcadcb45b13b71aad6fdff8b654118
SSDEEP

6144:pbXE9OiTGfhEClq9Dos9HOgmFBBBBBBBBBT1lYQaPJJUq:RU9XiuieG1lYQav

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1280	WScript.exe
5	1280	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\lethala fell blowsinisterby somefell.chanc	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.ini	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\lethala fell blowsinisterby somefell.chanc	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat	GOLAYA-SEXY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2600	2240	GOLAYA-SEXY.exe	28
PID 2240 wrote to memory of 2600	2240	GOLAYA-SEXY.exe	28
PID 2240 wrote to memory of 2600	2240	GOLAYA-SEXY.exe	28
PID 2240 wrote to memory of 2600	2240	GOLAYA-SEXY.exe	28
PID 2240 wrote to memory of 1280	2240	GOLAYA-SEXY.exe	30
PID 2240 wrote to memory of 1280	2240	GOLAYA-SEXY.exe	30
PID 2240 wrote to memory of 1280	2240	GOLAYA-SEXY.exe	30
PID 2240 wrote to memory of 1280	2240	GOLAYA-SEXY.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking

Filesize
1KB

MD5
64513b672ed644f009db5bc6c8bf44c9

SHA1
4f484bb84c21515850ec1f6ebafb8bee861e89be

SHA256
5f0abbddbc62da497455a47db3aedb5d111f6bb6909d2a949f48d74d08f25f00

SHA512
44ae97aa2f45f42aaf6c12d0c79c0c14b54688fbf5870c66c3fed684ba30c480bc669f4ef3acec93dde87a8264e0713cdccbb7e7b7a95aa3450a1f292a40492e

Download Submit
C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol

Filesize
112B

MD5
a97805a7dcdf57804ebce37d2599a681

SHA1
99cfacb04b6bbe087d6c46e3d920ba9ab0a4f056

SHA256
0c6fa09a4144b4313cd2a859b98b622f836c1ea311d84aca4dcd25f706d35039

SHA512
dca01920001d10435669e51f2ba65159e9997bc0e4a3f12e0b52b66061e402194d01ac8cfd74c53499cdf59aa9f6adf3fa0e5e73b6ef1d4c0e8a5bc9955ab1c9

Download Submit
C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat

Filesize
1KB

MD5
45ea0a8362b1b78aba7698311d3885b8

SHA1
acd14f626ff4853349be802cbc7df95a760ed17a

SHA256
98ab8b0dc5a83db1e3991abf9fd21d831151a1a620bc3be0a8f013160037c299

SHA512
9092de4f64a503abca6849a3d9b32fbb060f3623d9996ce3e109e65a9caf4e21e22d4ee59805e577aa473a5a58d3c65a6ae7d42418b573dd7727819f46077fa7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
84329ca38521147bedbf96352ded8748

SHA1
ed0f088b1ea944f0e5feb88bbee6569f6d3d7ad4

SHA256
09b4e6bed5e704ec4c86dd0fe1832885e2754d39ae6e13983b2118e7ea6926b0

SHA512
f2ec192d3925a2889b164693a8907b878f155e9e66875be8d6b17545430c11eaf39bc23cd2896f5795a2e7cc050ca22b03c65da53b17186fc3419de51447d652

Download Submit
memory/2240-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2240-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing