9c9249e2b1ba2e25b198031db6f05140b2a2b262e7d70868c04364d677cef16c

General

Target

GOLAYA-SEXY.exe
Size

239KB
MD5

04064e235ccba1b961f9bc91a2ad641f
SHA1

397300571dbcc187bcaec547b392f7a52d524bbe
SHA256

d90579eac17795a9b27b80ef069b7b6337f418b9ac28909f9bc602c5ed3a10df
SHA512

d30a7aa5d448169b161b647e11078c0cf1916b209d3358c320decd21b03836fbc457fcfbd68216aad04570c15981ef3484fcadcb45b13b71aad6fdff8b654118
SSDEEP

6144:pbXE9OiTGfhEClq9Dos9HOgmFBBBBBBBBBT1lYQaPJJUq:RU9XiuieG1lYQav

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	3980	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	GOLAYA-SEXY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\lethala fell blowsinisterby somefell.chanc	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Uninstall.ini	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs	cmd.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\lethala fell blowsinisterby somefell.chanc	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	GOLAYA-SEXY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3040	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1920	3920	GOLAYA-SEXY.exe	91
PID 3920 wrote to memory of 1920	3920	GOLAYA-SEXY.exe	91
PID 3920 wrote to memory of 1920	3920	GOLAYA-SEXY.exe	91
PID 3920 wrote to memory of 3980	3920	GOLAYA-SEXY.exe	93
PID 3920 wrote to memory of 3980	3920	GOLAYA-SEXY.exe	93
PID 3920 wrote to memory of 3980	3920	GOLAYA-SEXY.exe	93

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:3980

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ustanovi menya plllll\life is life\Tocausetofallby.striking

Filesize
1KB

MD5
64513b672ed644f009db5bc6c8bf44c9

SHA1
4f484bb84c21515850ec1f6ebafb8bee861e89be

SHA256
5f0abbddbc62da497455a47db3aedb5d111f6bb6909d2a949f48d74d08f25f00

SHA512
44ae97aa2f45f42aaf6c12d0c79c0c14b54688fbf5870c66c3fed684ba30c480bc669f4ef3acec93dde87a8264e0713cdccbb7e7b7a95aa3450a1f292a40492e

Download Submit
C:\Program Files (x86)\ustanovi menya plllll\life is life\everybody_lie_life_is_life.gol

Filesize
112B

MD5
a97805a7dcdf57804ebce37d2599a681

SHA1
99cfacb04b6bbe087d6c46e3d920ba9ab0a4f056

SHA256
0c6fa09a4144b4313cd2a859b98b622f836c1ea311d84aca4dcd25f706d35039

SHA512
dca01920001d10435669e51f2ba65159e9997bc0e4a3f12e0b52b66061e402194d01ac8cfd74c53499cdf59aa9f6adf3fa0e5e73b6ef1d4c0e8a5bc9955ab1c9

Download Submit
C:\Program Files (x86)\ustanovi menya plllll\life is life\when_we_a_fill_the_power.bat

Filesize
1KB

MD5
45ea0a8362b1b78aba7698311d3885b8

SHA1
acd14f626ff4853349be802cbc7df95a760ed17a

SHA256
98ab8b0dc5a83db1e3991abf9fd21d831151a1a620bc3be0a8f013160037c299

SHA512
9092de4f64a503abca6849a3d9b32fbb060f3623d9996ce3e109e65a9caf4e21e22d4ee59805e577aa473a5a58d3c65a6ae7d42418b573dd7727819f46077fa7

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
a291ce7279a552e35de79e49df426a42

SHA1
7e229744f28d7fbd2c21ef2d2b1c67f7661f29f9

SHA256
bf9123776dcca8b0d2992b58e97af39dc63300cde537ff6ed4b2e0e4e2334f55

SHA512
4d004e02ce0230a958de02813bd16b391c4afaff8d7126a39e514a0ed0cb6d39d1236c6ae0caf02e1ba92668256913531b388044beb8f0b05cadf88db487aff5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
5c9f2cf9a434cffc0c3f8e62cf5c7f06

SHA1
2dd4e8cea4c11fb80db492f882164860dbf4a20e

SHA256
167f555a90c154b0da88098d9c5358d9fd3a878445819c72cc6fcca34cb49827

SHA512
e19d37a8f00b8e1f644bbd49c71eb5c96c0f8117fd799b9fb33b75e456d12bb1bde0f5243a13cabe0eb32b31ee86ce4e2add9576ab2bafae6106ab82e614f72a

Download Submit
memory/3040-80-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-82-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-58-0x000001084A540000-0x000001084A550000-memory.dmp

Filesize
64KB

Download
memory/3040-74-0x0000010852B00000-0x0000010852B01000-memory.dmp

Filesize
4KB

Download
memory/3040-75-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-76-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-77-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-78-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-79-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-110-0x00000108529A0000-0x00000108529A1000-memory.dmp

Filesize
4KB

Download
memory/3040-81-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-42-0x000001084A440000-0x000001084A450000-memory.dmp

Filesize
64KB

Download
memory/3040-83-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-84-0x0000010852B30000-0x0000010852B31000-memory.dmp

Filesize
4KB

Download
memory/3040-85-0x0000010852750000-0x0000010852751000-memory.dmp

Filesize
4KB

Download
memory/3040-86-0x0000010852740000-0x0000010852741000-memory.dmp

Filesize
4KB

Download
memory/3040-88-0x0000010852750000-0x0000010852751000-memory.dmp

Filesize
4KB

Download
memory/3040-91-0x0000010852740000-0x0000010852741000-memory.dmp

Filesize
4KB

Download
memory/3040-94-0x0000010852680000-0x0000010852681000-memory.dmp

Filesize
4KB

Download
memory/3040-109-0x0000010852890000-0x0000010852891000-memory.dmp

Filesize
4KB

Download
memory/3040-106-0x0000010852880000-0x0000010852881000-memory.dmp

Filesize
4KB

Download
memory/3040-108-0x0000010852890000-0x0000010852891000-memory.dmp

Filesize
4KB

Download
memory/3920-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3920-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing