d2f5e251e9d0d90c2e9d29ca332b881cc71b9e11d5ef67470ed65e05223e01d9

General

Target

GOLAYA-PHOTO.exe
Size

180KB
MD5

150145e71d2d6d5dea85bad963c49939
SHA1

1f96fc6f6bc2f0d33680ff38c440e95e348edfb4
SHA256

ee36fa40e546682624e4028bb270e5282f49fdf623f36d729b8900cba823e887
SHA512

709d6f9b98269ffb6299484f1fbd9e73d307281af24430ef33d7c09a3425259a854acb74fe1e5a46bd308d0fcd293e8bd00e86b5f0c88054bd7eac0cdb861912
SSDEEP

3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0hL/eSZZvLf6CNsPrXJ8WYQKaLnS:JbXE9OiTGfhEClq90GSZZvLCCNsPrXJm

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2120	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	GOLAYA-PHOTO.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	GOLAYA-PHOTO.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 4004	1036	GOLAYA-PHOTO.exe	83
PID 1036 wrote to memory of 4004	1036	GOLAYA-PHOTO.exe	83
PID 1036 wrote to memory of 4004	1036	GOLAYA-PHOTO.exe	83
PID 1036 wrote to memory of 4796	1036	GOLAYA-PHOTO.exe	85
PID 1036 wrote to memory of 4796	1036	GOLAYA-PHOTO.exe	85
PID 1036 wrote to memory of 4796	1036	GOLAYA-PHOTO.exe	85
PID 1036 wrote to memory of 2120	1036	GOLAYA-PHOTO.exe	86
PID 1036 wrote to memory of 2120	1036	GOLAYA-PHOTO.exe	86
PID 1036 wrote to memory of 2120	1036	GOLAYA-PHOTO.exe	86

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:4004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat

Filesize
2KB

MD5
aae98a9ae5312eb4b973299b827bbaf9

SHA1
a130b54b350d8a1de5af60bdf6d1d33bf0ddc91d

SHA256
f21532fcf3ea3a977385c0ab4f2fbeb18ea4bd5bcc3c5d89480aed9ec1458211

SHA512
35114cb5616a208a4490b4bd338d0f92dbf8e0e2a487e47afdaf67729449fa049f6c262622bd7fc5e81261a1edaf00ef7667b589ab432299cd756e53ef8b4d2d

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs

Filesize
927B

MD5
82e4324887462808340c0713a89ed706

SHA1
8d83251e1e7d35b45fef1cd2c682f8c2bdcc967c

SHA256
a0ff7b7e8cec36e1daeba7b2e9eaa4147edad3454f95513671014d913a48eab8

SHA512
b343cbb6d3cf3f267c85c83e6f819b71f4537960f7b755c1ca1881718a389c59182cc13af415185782113e9f7b1e2bed0622e13fcf4486d1bba8995c2818f796

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs

Filesize
695B

MD5
2fe333096954fc280b211ebb13742872

SHA1
e1297c0562865a6112c6ded8765468058364b881

SHA256
94dcb84b3c8639a9a224ed55becaf1fd4435a270de7f18cb4a083546c1fc1bbf

SHA512
2983d9857054e52aad03013f6ea1848d7b1ca84505261a27e60107b6d575bec357369b4e9cadab049fb8bde9fc952d8e2d97ed66db98033d6b9a02264a52d2c3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f54958a6917b4db6b6102f354b3be108

SHA1
516f23fa567b63be53cc9e85fc243d09cf0bfee6

SHA256
f8cbd15a3b3a1bef651d687af8dd34a8787d48f0a3a159fb4050bfde2f83711b

SHA512
4dab27bd040bb30aca4be0d477b8b5d7d2614c15667c98566dad271db66976a272b9800159ac4de4149aa116b56b45099d587cdca9e078c233a04420a3f52ef1

Download Submit
memory/1036-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing