dcd6d891911df89e7715f14155d89595b65749c3a81cd552a34832848c01709c

General

Target

GOLAYA-BABE.exe
Size

238KB
MD5

bd3875791f0a36ed9122352e1b4fe189
SHA1

a3dff7bd641755b5c8b64c4aab59738ec3842d60
SHA256

1973e4168c5aa035cdc9797ffdede9fac7e84064be5019f533a4ac3de2edef0f
SHA512

1709eff81fc9ee3760f3d6128a228655cadd04144d1f877e2c0a04e6ce2215eeb6c2acebca02d741f3a6090a239f1f652547e4c3badcc99db64dc35a8379ff67
SSDEEP

3072:tBAp5XhKpN4eOyVTGfhEClj8jTk+0hd255d5q5hQ2+Cgw5CKHm:obXE9OiTGfhEClq9uk5d5q5hQXJJUm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2312	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.vbs	cmd.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\Uninstall.exe	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\Uninstall.ini	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.cross	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.cross	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.vbs	cmd.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\xranilise_vsei_figni_tut.bok	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\xranilise_vsei_figni_tut.bok	GOLAYA-BABE.exe
File created	C:\Program Files (x86)\idol ya poka_\no_lover_simp\nu kak bi vsua hernya.fos	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\Uninstall.exe	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\idol ya poka_\no_lover_simp\nu kak bi vsua hernya.fos	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	GOLAYA-BABE.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 2144	980	GOLAYA-BABE.exe	88
PID 980 wrote to memory of 2144	980	GOLAYA-BABE.exe	88
PID 980 wrote to memory of 2144	980	GOLAYA-BABE.exe	88
PID 980 wrote to memory of 2312	980	GOLAYA-BABE.exe	90
PID 980 wrote to memory of 2312	980	GOLAYA-BABE.exe	90
PID 980 wrote to memory of 2312	980	GOLAYA-BABE.exe	90

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\idol ya poka_\no_lover_simp\slooooowthespeedafer.cross

Filesize
1KB

MD5
34d7456a4891f37beb13dcbd036ed75a

SHA1
f64de50386a18592499f36871d7f9aa5f2a94af4

SHA256
286c730af7e132f6e5ce4c421902e6ce9a1155580b4b76f5e79c9540d89bd8fc

SHA512
218cd5e9e416c033451508148af8884c79aa594d8d967b43d749eb608616b775296c03c33844aeff553c65f347f7d2a01af6f2a4369b442ee05798979e7eb6ac

Download Submit
C:\Program Files (x86)\idol ya poka_\no_lover_simp\svezee_techenie_cheloveko.bat

Filesize
1KB

MD5
30c3e9c19b53c874e11ebe892b8e482a

SHA1
7c1691acac06d80bdb9008afe846219e87cddd58

SHA256
620071de936ca49df84e241c96cdc171e048ba34156b2cd82dd3593c7b40e7a4

SHA512
3dbaf16c611e143e93160a91f66e7f4d4e7c974cf7994a8a77d540cd77b18066987fb289f66cd8b088850ba8cf587212655aadb7acb0efa9ea19a402b0998e8a

Download Submit
C:\Program Files (x86)\idol ya poka_\no_lover_simp\xranilise_vsei_figni_tut.bok

Filesize
95B

MD5
c92529232d9a24e2bda875c082a00cc0

SHA1
540ab3f9fe1ff856d8d58ec32edc250514c83c53

SHA256
fd7381efc28d01c97a99fe03bb5d232b56bcdc38faac3a836168e3e10badffab

SHA512
f1f107f715ce91fb4b84e4875532e18b97fde182820ae54eed382250a5f921f2435c73ae5d8cb0c84db7843539e900e71d55740eaa8251b4b25f968ca31149ed

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
4fccb4d0b47dfce4da0002ee30fc74e6

SHA1
e5e9311650e7631800cd404d2aa7df00e4b169d3

SHA256
2554b9fc2dd8cdb75ac6e3650a9b5fe0b90d40a7bb04625b021aaf6d0e1a1499

SHA512
951e1f0a5636052f32b7990201cc1d855d8bef07fd247fe95f87dfc20c314c3945fecb549e402445543fadd60c5c46db4d028391a690c84bd6a8308d335adacd

Download Submit
memory/980-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/980-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing