1d256912ca6569decd972173cc676c963b1dd60fd845941d1db355341d919da0

General

Target

GOLAYA-RUSSKAYA.exe
Size

180KB
MD5

05dcabe4947ada380eb48cf90eb0aa6f
SHA1

d11c9319a518ddc14dc62cc138d074b1d908c924
SHA256

53b296ba46752bf57d298dfe5ba8b011574253199e57ffd8c8786bb16f642f49
SHA512

a336ca962fe97f329fa6968e2532096a0051e5f124c20c7ba74d6688e5b15b2f34980b56f2b6f1e5ff3a53a05936510f22841279497ca50061e5c3fc55ea1614
SSDEEP

3072:nBAp5XhKpN4eOyVTGfhEClj8jTk+0hJiH8ga2EPb9ePlO7/IQ1bvatjKv5sK2DdH:qbXE9OiTGfhEClq9j8ga2+b9ePlO7/IR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	3108	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	GOLAYA-RUSSKAYA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs	GOLAYA-RUSSKAYA.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs	GOLAYA-RUSSKAYA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	GOLAYA-RUSSKAYA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1696	3628	GOLAYA-RUSSKAYA.exe	85
PID 3628 wrote to memory of 1696	3628	GOLAYA-RUSSKAYA.exe	85
PID 3628 wrote to memory of 1696	3628	GOLAYA-RUSSKAYA.exe	85
PID 3628 wrote to memory of 1780	3628	GOLAYA-RUSSKAYA.exe	87
PID 3628 wrote to memory of 1780	3628	GOLAYA-RUSSKAYA.exe	87
PID 3628 wrote to memory of 1780	3628	GOLAYA-RUSSKAYA.exe	87
PID 3628 wrote to memory of 3108	3628	GOLAYA-RUSSKAYA.exe	88
PID 3628 wrote to memory of 3108	3628	GOLAYA-RUSSKAYA.exe	88
PID 3628 wrote to memory of 3108	3628	GOLAYA-RUSSKAYA.exe	88

C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
d515dbabc1d4148509640420b7a56dc7

SHA1
5e3c3c4ae1882bd0aef3d9a3cbd527f2fdad6cc1

SHA256
db87b544d4eb7fb04ab140aaa18afa2b985f1636b19605715d22db93a2369063

SHA512
0d5140346185c9ebcc2447b33e4c279449ed8c5ca7b9ec961135848a4317ee79093a3f514f77d9c18bb337ca367375f15ac7b00493d0ffe2ac99836a4a9f808c

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs

Filesize
899B

MD5
c99bcd3152c111c27332bfc299c30379

SHA1
114b6dff436d74f361d8ca0b5bd4978adc3e9346

SHA256
8c7cc60f62079e6e6970ad0930850c114b22ebf4214310d4401159782c0ce111

SHA512
0f7b76e06cb6a4b7bf4a137a8ff24d51d32d266df43c1be54cf6185c00bb9fb621b587f58281684dd583e1ca58d0343e8d507a96e186f6a635dc8ff964e312b8

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs

Filesize
700B

MD5
a7d73318a92af8e3cfc771049d3edfac

SHA1
d9c5ab0e91ea4c71d8d9591f2851ca9282e3523e

SHA256
20b0d215ab3b82e181190a170660f0e9f816b149169001e6ca2daa08101ff7be

SHA512
c313aceb921c76d6c3bf0b35bfadff5a2479781a588300340ead4258c0ba4d6adb29a566873e981f8fed44a53b7ec88611c1d4366cb873743b472ba8a4f449df

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c0805e6fff9d30c65b91bc9284beac8e

SHA1
45456e27d6632159ed7e4403caa1a16721c3b603

SHA256
53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

SHA512
34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

Download Submit
memory/3628-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing