Overview

overview

8

Static

static

3

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    180KB

  • MD5

    b5a44c060c6c4a2d439f9906574a0073

  • SHA1

    89db03d3f47080cca01ebc298f8c989a6b13d3ff

  • SHA256

    d1e011fc69e871b93db9de9f90422097fd88f220ecf664be1d718d2d25fc1c33

  • SHA512

    26b09dc50fe71874c3a96c9434d82681a7ceb588869a5a6e070f5d77daea912d82350745ffd1ecc2fb59c56598fcd15289598cdfca3ddbd6ea416eaf8bb6ae88

  • SSDEEP

    3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0h+tzYOuI0m7:1bXE9OiTGfhEClq9dYpI0M

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:2500
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4092
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:4400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat
    Filesize

    2KB

    MD5

    a94ee45e63e79a94e97e9185ef33d4ca

    SHA1

    94b83eb3bacfd8f953212fcb06c7fc9c456d2d60

    SHA256

    363547c471bc514125a673a361da6e9b8a7730edecceaed29bd6264a6f6e5767

    SHA512

    9b0141e6d210405fb42ef9b5bb1b599b9557468a6c8ed031ea85ce894973a40cfd85bc0cc4c71b3d35796d0a09e3861056976dcdd271d8be4398cb3086248580

    Download Submit

  • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs
    Filesize

    891B

    MD5

    a3738d04672653309492abe7672c4b13

    SHA1

    6d31ecf5dcf9528921770be71c9f8614e2565a6a

    SHA256

    f8fbaee53e690286422a5d103a9032d13094c6ce3bcf083a00ee566d91d7b8f4

    SHA512

    f4319c47314276d0d647c778eca7195c5d2e2bee97eda224ee0b92bc10cf51ece721b67555cd26a9df84666119317bf605081df8c3217e7af0bbe191d7fe2231

    Download Submit

  • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs
    Filesize

    620B

    MD5

    62f1bb6e29bf1d1b0e8747b957bee9d0

    SHA1

    740704f420c9744bf989e0b9ad2c73d2854e3386

    SHA256

    a48f9853b3c4773cc680b13bd5a565ec568abdbce9e7069de50ccfec3db7d59c

    SHA512

    fa9d8ec7847a16dc14a439bf7704dd062d924bc18d95b92059b157d090043be674f47bf2eed7e2b3e9413381ecea56889d6da194fe77cc2d8ec742d9efb5d2b2

    Download Submit

  • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot
    Filesize

    34B

    MD5

    aa5511a167a67e429a9fdf3ac25bce0e

    SHA1

    8ac961be922cdc3314ed342e809d68637e9ea1f2

    SHA256

    bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

    SHA512

    736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    c0805e6fff9d30c65b91bc9284beac8e

    SHA1

    45456e27d6632159ed7e4403caa1a16721c3b603

    SHA256

    53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

    SHA512

    34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

    Download Submit

  • memory/4232-40-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download