Overview

overview

8

Static

static

3

GOLAYA-PHOTO.exe

windows7-x64

8

GOLAYA-PHOTO.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-PHOTO.exe

  • Size

    149KB

  • MD5

    e1fb70408c7945c6524c321063bd9570

  • SHA1

    ebcd6a63fac9609c46e9c84708aa1e5701ee7775

  • SHA256

    3e2da7a655e400f9e6ad442d4db21bac0a9528bc825aaaa8fdd97406458a59ed

  • SHA512

    58751bd094dfc28c8b83085a480f70d1dfc97b990e69d90c4abe6ad5ec68c2a215445a664d5287bc624eab4175c2479fe6f0802b045fea61c12449af05f34814

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0higWrUzM/XP:AbXE9OiTGfhEClq9GWruyXP

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1068
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2196
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3252

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\salst\ogurets\all3.vbs
      Filesize

      343B

      MD5

      a70714342e5ae422f1d4b0a7de156938

      SHA1

      17623bd5629d4aaead0b48625ec873b92a4d7a38

      SHA256

      b207e48398159a5637bbffa95c4dd0065172a973163d1bdf12e4f5dc716236fe

      SHA512

      acb2a805a6d5b372b049f167e36d5fb4614efc4dc3ebbb7a10b9bd6c1aa15b95a7da189f041db752481cf5ff7a52bc9536e324f52a531f4cde017bb08f4323f0

      Download Submit

    • C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs
      Filesize

      743B

      MD5

      556b867977c81ea01eddf0d1dca64b09

      SHA1

      ff062063e4d879aba253391d65698ebe2e435f71

      SHA256

      16b74e98406c9237e29e4f943165f9bce680bcd2fdcb4179d8b8c4a474ff57c0

      SHA512

      8ad4380e76216d71403eba8c02da6536de86403f49b842b12b4dea6d5e09d7ced642717a0c004257db903538a4fdd4b341c2ef83568564fd0b9ca7ec45441867

      Download Submit

    • C:\Program Files (x86)\salst\ogurets\podkati.bat
      Filesize

      3KB

      MD5

      29256f814d96aa9b1ba552ca27d5d8d1

      SHA1

      d9fa70fb8c7a1aa855b2d36e313e07951f9f5888

      SHA256

      7529f6ecd65340c10079f3dd2a902b2aeb5283cb26c3d6aeb9f16f98c247c3ae

      SHA512

      83638edabb754f0abc2bdbd09cdb6049869fea64ecbc8b13ae9a4d6ee03a8df4e64e73e3ac78b2811a46f0d6c2a6713f2d11d170eae18ec516de39574109a794

      Download Submit

    • C:\Program Files (x86)\salst\ogurets\polenolll.pof
      Filesize

      27B

      MD5

      213c0742081a9007c9093a01760f9f8c

      SHA1

      df53bb518c732df777b5ce19fc7c02dcb2f9d81b

      SHA256

      9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

      SHA512

      55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

      Download Submit

    • C:\Program Files (x86)\salst\ogurets\stuckja.jol
      Filesize

      43B

      MD5

      d78035c4c5b31de497461498fedee636

      SHA1

      e67dbea9bcc9deb3a93bc45bc936162ce431e1c5

      SHA256

      5d3a1308501ae2d5eac35d1166f833c6ee68bf4501789d7b8b0825373f5ede5c

      SHA512

      55da15d3f69422585bacfdc852780fa7c8db7b31a0cec251d7590a9850f919902d64e66c62d3e74ada9f8946fccd4f2988dd45533301d2580d7976b00b799785

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      1KB

      MD5

      d9a93296f8c62ab96271667c72d7a3b3

      SHA1

      abcf5a6ed773cfc978fc2176138778ad406c188a

      SHA256

      f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

      SHA512

      f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

      Download Submit

    • memory/3812-55-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download