Overview

overview

8

Static

static

3

PHOTO-GOLAYA.exe

windows7-x64

8

PHOTO-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 19:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHOTO-GOLAYA.exe

  • Size

    149KB

  • MD5

    5e337da135d63887a756e2cba5fcc0c8

  • SHA1

    c367eaa24241c19410bbbe2ff4d2c39d4cdd1990

  • SHA256

    d9d056c7d128ec893e43a4c7b315e9437629f851f51aee6d366c1022a48bdff1

  • SHA512

    54b3a00c9317c2d5ea338a2450e655dd5c822531c97bb8cd164272a10650421676c1ea9634de1ed2c9454885b04653773235c605f95befb7d848eef6779c0172

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hijeF9RCyllP:AbXE9OiTGfhEClq949vD

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Produc\New\nuashks.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\nadopilitsa.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:3656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\samisok.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:744
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1656 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:792

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Produc\New\nadopilitsa.vbs
            Filesize

            269B

            MD5

            f8e76085c4bab58dcb161028c3aae9c9

            SHA1

            764af0a064b08e40beeab421df76d3c7fb389c75

            SHA256

            e7388abfc5e55e53c9a06f74e6000107b15641c3d99fe89d9f990584049b4ad6

            SHA512

            7c557fdee8163233be08a494955b02af789d37fefc5429b966079c83950f4b79ec50c7f521ba0cc72cb762c300ab96ce72c1bc90a3eca6eeed67e1a2614a8b61

            Download Submit

          • C:\Program Files (x86)\Produc\New\nevedomaya.hernya
            Filesize

            48B

            MD5

            7215ed14e21d41517551593a906dfa9e

            SHA1

            572ec6424f46b19e5b1a0ebcb58df8efadaa37aa

            SHA256

            248f4f03a3bac68d3f2231e72dcdb82d16ba4a49631306e231200c36a4d7d6b6

            SHA512

            c81fcc628b6178017cacdbf7c57b5bd3304ea1e6a43b4c8164082f6d701f7f03c16d3026b011819ee76cb4609ca8c00e70566382cd839fba9fe714e1d0a1f7e5

            Download Submit

          • C:\Program Files (x86)\Produc\New\nuashks.bat
            Filesize

            3KB

            MD5

            c151e8a63db1332daeaf336c6767f918

            SHA1

            3c41d44604d19b3ce2bb9a1971a94ebf2a1f50bd

            SHA256

            c9f0675570ce4487e3b60e2b3e5433ad76c0ec354a41d8135fb0318e40f39e95

            SHA512

            bb483dc05f7eeb6e6a73c76d6bf95e1e322b609d759dee27c5e21b682d8c249b3e60cc25f7f47ee152f0b8eccea90252daed9235153e3258423221c233f80c44

            Download Submit

          • C:\Program Files (x86)\Produc\New\poppets.txt
            Filesize

            27B

            MD5

            213c0742081a9007c9093a01760f9f8c

            SHA1

            df53bb518c732df777b5ce19fc7c02dcb2f9d81b

            SHA256

            9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

            SHA512

            55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

            Download Submit

          • C:\Program Files (x86)\Produc\New\samisok.vbs
            Filesize

            740B

            MD5

            152fab0ac0684c4b7383883ecb4c42f7

            SHA1

            dc2487afd2302751686b5f7af5ec65ecd05c75c5

            SHA256

            d28c1370bce14ca6aa38e81d6c6deb3e43b04849bead1795d940c1e59f2cde4d

            SHA512

            da52cafc25583799b8138044cfd25f0cc66c7d01b1cf369b8960c1865d9a6a348be0ee90b417ad72455f3919f7553ef4db971c7ff56855b40bf4d772ba8efee3

            Download Submit

          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            1KB

            MD5

            d9a93296f8c62ab96271667c72d7a3b3

            SHA1

            abcf5a6ed773cfc978fc2176138778ad406c188a

            SHA256

            f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

            SHA512

            f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

            Download Submit

          • memory/4656-3-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4656-58-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download