Overview

overview

8

Static

static

3

GOLAYA-BABE.exe

windows7-x64

8

GOLAYA-BABE.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 02:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-BABE.exe

  • Size

    203KB

  • MD5

    ddc256f409bf0b8e9647497da0c02077

  • SHA1

    5f17007371a209876bec6e467fbbab7634cb93b6

  • SHA256

    5114a34a00f9cb4273df0778733e2ffb006f74a065ecc0e82311f6ceb8bd2e09

  • SHA512

    d4d10039597dcdde99d8b25e4c5bcaad7514dc54f2296220e7fd108e02030b926943f53d2c622f8212340f48c9568dc000432a8ab83052c64c15c3bcfc4eed12

  • SSDEEP

    3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hJ8D4RD0c0rpOdt/46KC5NV/2iBY:WbXE9OiTGfhEClq9YKXcP7/UCpS

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\a\222\1a8.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:3056
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\a\222\dd11\0a93c4e8557cb61c55ee.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2288
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\a\222\dd11\8546f9rtrty464b17.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\a\222\1a8.bat
          Filesize

          5KB

          MD5

          de147ce6ba1d1943dafb2e5f863516a4

          SHA1

          a090f0df6ba6874d2d1380efcc2d471854f6d86a

          SHA256

          df3746b241d470e51ce2d1c1c87ba8f4c1fb7598712c37b7a8bc37dd79e2378d

          SHA512

          e197eda48fc1e720d4839f13112dec4e8bfc1932b6168e812cca8326cc9dd4b9cd583285da00d3e6bc455d11e33e015a3b134b65389f2e0eb72691315b145bba

          Download Submit

        • C:\Program Files (x86)\a\222\dd11\0a93c4e8557cb61c55ee.vbs
          Filesize

          512B

          MD5

          47d274be3586757ba8e79a432db848a3

          SHA1

          4f53bd2d2308849fe993e3a475a7bccd430d5d81

          SHA256

          bf04ec8c40ffe1281422fe5944bad405587c6ad1ee4226f85b0915c8b573add1

          SHA512

          4b90229cd9ac8ee81c9dce0292dc3881d6d7028525e77b412e138a6fc44fa5236518c419865a093440c27dbd00bbbc58326619122138ace6c35f89b123c68175

          Download Submit

        • C:\Program Files (x86)\a\222\dd11\8546f9rtrty464b17.vbs
          Filesize

          638B

          MD5

          bb461184f044aca28b37faec5030b29a

          SHA1

          1f712dd2138a0a1c64f3da2881b22cedffa0c7a3

          SHA256

          8869ea1e9535b4e846c39458e121b625b08781748fe004a81bd91552ddffacf8

          SHA512

          329fdc364d6f44e67ecc17f38eafcd8a0a5315bb729d4a067779d35596ba417a3b90cdf8100dc0774ddf3fdef4a91c62ebd8f9c87bf04e55e8fef6f3052aec66

          Download Submit

        • C:\Program Files (x86)\a\222\dd11\kokoloda.da
          Filesize

          91B

          MD5

          fdf80ba0d1c8aecbe41796eda51c2ca7

          SHA1

          f23f744f124d18444586c39f2a4eeaef5ee295a8

          SHA256

          55e136d79fef1b1e38269f95b57c4fb4637dd4909d3765886672a820afbf5f3b

          SHA512

          fdfa96e64551f03d79bc62612cdb1b5a3059fc7d9d77d5c5a9141cb3e3910effd98d4e6711b70a0dad8e6785a4fa3bd171f6bbd384d82285406b7e2537c2d784

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          c6594e4fa23d131279801560cd9c03ef

          SHA1

          86030f67f34df4ce02759e6f2fbbf7c98febd2da

          SHA256

          5ac117484272642c0e251ef3f75720d91d7877828a0a0f391e6d1a29f76ccf2b

          SHA512

          800695c666ec1d1e2c1f16abd994deaa7ef7f219b24776c4e8e74e27d6357932b78288c857a5ad03b1d8a78f3e8b8c6d9bb35493129e89dac0012a39034f7640

          Download Submit

        • memory/4492-40-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download