fbf7f71b8ad08854d23f8b38c542f9ff1f78d8ed61f87c8c1d5c5cd3a5858bad

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 20:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-PHOTO.exe
Size

149KB
MD5

977c93c6bc8681e1c6f4957be7346fb3
SHA1

d6dd40443ab855f7723163573a99d2073f3e5ab7
SHA256

49ad394c9e66be0dbdbb2f39ae0dec9d73524c5adcfa0b2ab42a5c9f021c860a
SHA512

43a35a1cd5b232c1c905c0d99b837cd0cb62da18fd2f347ca19ca93ae0a0f00156f16ae105e4f26190008d791535d76960c3c5e7b3090316c33a9364147e4158
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hizJREUzffMe:AbXE9OiTGfhEClq9XKUbMe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2444	WScript.exe
7	2444	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\Company\NewProduct\al99999.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\all2.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\koollapsa.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\slonik.po	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\hhhh.txt	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\al99999.pp	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\al99999.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2504	2040	GOLAYA-PHOTO.exe	28
PID 2040 wrote to memory of 2504	2040	GOLAYA-PHOTO.exe	28
PID 2040 wrote to memory of 2504	2040	GOLAYA-PHOTO.exe	28
PID 2040 wrote to memory of 2504	2040	GOLAYA-PHOTO.exe	28
PID 2504 wrote to memory of 2444	2504	cmd.exe	30
PID 2504 wrote to memory of 2444	2504	cmd.exe	30
PID 2504 wrote to memory of 2444	2504	cmd.exe	30
PID 2504 wrote to memory of 2444	2504	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Company\NewProduct\koollapsa.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Company\NewProduct\al99999.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\al99999.pp

Filesize
294B

MD5
21af4fa5ba98e52f2ff9495e2d5647bf

SHA1
8392c3193b01dc4e053d475ef2596a9b9775c5a6

SHA256
979b8df7b94d49e3a802d52ae9b6df38f1791dce642bf841ac22969e30b779ea

SHA512
3a07d55c4f9b35f040940d3fe4f7f7880d16547a656dc2aff61f8d0c64d8d9f3e590e561e3a395129a698a3dd20706849cf712ba8a4e9e9a72a0b40ec4c021c9

Download Submit
C:\Program Files (x86)\Company\NewProduct\hhhh.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Company\NewProduct\koollapsa.bat

Filesize
3KB

MD5
fa686645bd1910d87cdc478fdf11d066

SHA1
401b0b4768bccd1e785a5286b5d92827ab0880c3

SHA256
5d917486a81cc816300b1b0e487b44f8ba35172c57d5f778d4dac5f074862f1e

SHA512
26daf27c886da0d06df964dcc8481524a78418c94c34e7f413f66cf89d2b46b6a909e22becde1ecbfe3bcdaf70219ce282cbe7d22d269fbb1a3674d28f8e1485

Download Submit
memory/2040-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download