Overview

overview

8

Static

static

3

PHOTO-GOLAYA.exe

windows7-x64

8

PHOTO-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    115s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2024, 05:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    149KB

  • MD5

    8038ebcd984916c69c58ede697dbe7b4

  • SHA1

    94e4561a06e0b423bc5b76c49234a977a869aae8

  • SHA256

    ae6226759da82fa559e63bc55b1e62a103c98fae2d246b81d43eae1826c99064

  • SHA512

    1acbf5b396f5e88c85ad4e86cf25ad2722f681d42c31bdc113f66c70a8fa6015da20af4a0418e75fbdb350c09c80785fd08e2161b5cdb5ae067636e5715355bf

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi38puk4NUtjV:AbXE9OiTGfhEClq9qptV

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Company\NewProduct\koollapsa.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\al99999.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:3168
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\all2.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4816
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3688

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Company\NewProduct\al99999.pp
            Filesize

            234B

            MD5

            dd1664a1bd6c20ff17e7ab15e00510ee

            SHA1

            1ebbcb2ef9c68141cd0d5ab5d348d6417c303a5e

            SHA256

            5cbd54d4928f6b5e68ab54046e015f10ae5d044a7a10d138f4a5b953707f0a43

            SHA512

            f13d1021ec90af9103665e9e5242af28e85137f83400931bc852c4f78bf2b25fc600b3e6cb4f48754cc37c78da729a7904d25af2130b76fa84a4f2fa82ecbadd

            Download Submit

          • C:\Program Files (x86)\Company\NewProduct\all2.vbs
            Filesize

            758B

            MD5

            f146f415df0981d96d10be43c8042424

            SHA1

            2f4125b5312566d96079de4d5723879ee5c71ada

            SHA256

            2d443c61261981b7023dca06f82dde969dbef6bfabf2a3e5e643d166e3165dae

            SHA512

            a61f3252f5ebc90ea84262103ec03b26d93ec34dbf73a81e18e820c8fd2ecaafc0c184895f54314d54bc809528d37e8bba8859129117ca0a7ebf6646fa77080a

            Download Submit

          • C:\Program Files (x86)\Company\NewProduct\hhhh.txt
            Filesize

            27B

            MD5

            213c0742081a9007c9093a01760f9f8c

            SHA1

            df53bb518c732df777b5ce19fc7c02dcb2f9d81b

            SHA256

            9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

            SHA512

            55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

            Download Submit

          • C:\Program Files (x86)\Company\NewProduct\koollapsa.bat
            Filesize

            2KB

            MD5

            97500c34cf7c2f6ab00e202bc4dd4229

            SHA1

            1386e443b33609143e94f13c42bacffb8e8c5126

            SHA256

            67fa3bea764831799e89d164c3eb29d408b9057b321e7745a18083201b106c9c

            SHA512

            0d0d73181b5743605c52704391961c57fb847fe92681222cfd98a500435ad8c47539b2ae6a0e988f69f17fc64d3fe5a68562298bde0e0dc956c0d365a2ae7350

            Download Submit

          • C:\Program Files (x86)\Company\NewProduct\slonik.po
            Filesize

            42B

            MD5

            645762809de5650cae734e629a60c92e

            SHA1

            7a84e6c54c2c30b90ad7590fb285605e1a0fb21f

            SHA256

            9fb02cdb68a2deb143ff90f757c9275916dc912a90170a328ec08f23829d156f

            SHA512

            c7787ce50d0038c187798951b6b25d9e0afb51915b6d3bd98339cb8e4f4e4c1c4efa7829b32afa81d570b190535b1667486d1fdf04a65e32093a83480581212e

            Download Submit

          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            1KB

            MD5

            d9a93296f8c62ab96271667c72d7a3b3

            SHA1

            abcf5a6ed773cfc978fc2176138778ad406c188a

            SHA256

            f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

            SHA512

            f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

            Download Submit

          • memory/1460-57-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download