Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 02:58
Static task
static1
Behavioral task
behavioral1
Sample
GOLAYA-PHOTO.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
GOLAYA-PHOTO.exe
Resource
win10v2004-20240412-en
General
-
Target
GOLAYA-PHOTO.exe
-
Size
180KB
-
MD5
150145e71d2d6d5dea85bad963c49939
-
SHA1
1f96fc6f6bc2f0d33680ff38c440e95e348edfb4
-
SHA256
ee36fa40e546682624e4028bb270e5282f49fdf623f36d729b8900cba823e887
-
SHA512
709d6f9b98269ffb6299484f1fbd9e73d307281af24430ef33d7c09a3425259a854acb74fe1e5a46bd308d0fcd293e8bd00e86b5f0c88054bd7eac0cdb861912
-
SSDEEP
3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0hL/eSZZvLf6CNsPrXJ8WYQKaLnS:JbXE9OiTGfhEClq90GSZZvLCCNsPrXJm
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 1 2120 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation GOLAYA-PHOTO.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\nasri_v_moi_rot.govno GOLAYA-PHOTO.exe File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat GOLAYA-PHOTO.exe File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs GOLAYA-PHOTO.exe File opened for modification C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs GOLAYA-PHOTO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings GOLAYA-PHOTO.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1036 wrote to memory of 4004 1036 GOLAYA-PHOTO.exe 83 PID 1036 wrote to memory of 4004 1036 GOLAYA-PHOTO.exe 83 PID 1036 wrote to memory of 4004 1036 GOLAYA-PHOTO.exe 83 PID 1036 wrote to memory of 4796 1036 GOLAYA-PHOTO.exe 85 PID 1036 wrote to memory of 4796 1036 GOLAYA-PHOTO.exe 85 PID 1036 wrote to memory of 4796 1036 GOLAYA-PHOTO.exe 85 PID 1036 wrote to memory of 2120 1036 GOLAYA-PHOTO.exe 86 PID 1036 wrote to memory of 2120 1036 GOLAYA-PHOTO.exe 86 PID 1036 wrote to memory of 2120 1036 GOLAYA-PHOTO.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\chilli_v_zope\04en_cheshetsa_pizdets.bat" "2⤵
- Drops file in Drivers directory
PID:4004
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ez_i_baldei_po_polnoi.vbs"2⤵
- Drops file in Drivers directory
PID:4796
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\edem_na_adam\krasnoe_na_chernom\kutturotti\ne_zabud_hoppersi.vbs"2⤵
- Blocklisted process makes network request
PID:2120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5aae98a9ae5312eb4b973299b827bbaf9
SHA1a130b54b350d8a1de5af60bdf6d1d33bf0ddc91d
SHA256f21532fcf3ea3a977385c0ab4f2fbeb18ea4bd5bcc3c5d89480aed9ec1458211
SHA51235114cb5616a208a4490b4bd338d0f92dbf8e0e2a487e47afdaf67729449fa049f6c262622bd7fc5e81261a1edaf00ef7667b589ab432299cd756e53ef8b4d2d
-
Filesize
927B
MD582e4324887462808340c0713a89ed706
SHA18d83251e1e7d35b45fef1cd2c682f8c2bdcc967c
SHA256a0ff7b7e8cec36e1daeba7b2e9eaa4147edad3454f95513671014d913a48eab8
SHA512b343cbb6d3cf3f267c85c83e6f819b71f4537960f7b755c1ca1881718a389c59182cc13af415185782113e9f7b1e2bed0622e13fcf4486d1bba8995c2818f796
-
Filesize
33B
MD57d94f52916ecca6d3c68eb13ab68a2ab
SHA1f40da9aa43d2208ab2ca0c0792572588b5f54c02
SHA256354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a
SHA512c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c
-
Filesize
695B
MD52fe333096954fc280b211ebb13742872
SHA1e1297c0562865a6112c6ded8765468058364b881
SHA25694dcb84b3c8639a9a224ed55becaf1fd4435a270de7f18cb4a083546c1fc1bbf
SHA5122983d9857054e52aad03013f6ea1848d7b1ca84505261a27e60107b6d575bec357369b4e9cadab049fb8bde9fc952d8e2d97ed66db98033d6b9a02264a52d2c3
-
Filesize
1KB
MD5f54958a6917b4db6b6102f354b3be108
SHA1516f23fa567b63be53cc9e85fc243d09cf0bfee6
SHA256f8cbd15a3b3a1bef651d687af8dd34a8787d48f0a3a159fb4050bfde2f83711b
SHA5124dab27bd040bb30aca4be0d477b8b5d7d2614c15667c98566dad271db66976a272b9800159ac4de4149aa116b56b45099d587cdca9e078c233a04420a3f52ef1