2604a003d3363330d9cd0721cec45c8164c219872f1ecba8405818bea95c0b59

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-BABE.exe
Size

180KB
MD5

3e080ab7ed40be06a0da9f17c44bd6ec
SHA1

8f4dd15b0cb7fefa1d5f64e5dfb786a7a1dc05f8
SHA256

b569cbf09e89d5a87e21892099a4f6e76dcaad568af02793fa3149fc6e5e461b
SHA512

7e3b54939793fa1554759d8c8ac93696fe1c8fa5ff0423457ba2cced679ff13a800d5f3cff6ec8e71cc504e910b2766b486b98b47575c6abb83d6ef885d03fed
SSDEEP

3072:vBAp5XhKpN4eOyVTGfhEClj8jTk+0hgVL8ON:ybXE9OiTGfhEClq9zJ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	3284	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	GOLAYA-BABE.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs	GOLAYA-BABE.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs	GOLAYA-BABE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	GOLAYA-BABE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3560	4536	GOLAYA-BABE.exe	89
PID 4536 wrote to memory of 3560	4536	GOLAYA-BABE.exe	89
PID 4536 wrote to memory of 3560	4536	GOLAYA-BABE.exe	89
PID 4536 wrote to memory of 3004	4536	GOLAYA-BABE.exe	91
PID 4536 wrote to memory of 3004	4536	GOLAYA-BABE.exe	91
PID 4536 wrote to memory of 3004	4536	GOLAYA-BABE.exe	91
PID 4536 wrote to memory of 3284	4536	GOLAYA-BABE.exe	92
PID 4536 wrote to memory of 3284	4536	GOLAYA-BABE.exe	92
PID 4536 wrote to memory of 3284	4536	GOLAYA-BABE.exe	92

C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
d063d8d1f53c0c03daa40cd5f6e3509a

SHA1
5d41ee0d3bb8c2c74c654d003067a2927fd975ed

SHA256
466751d83fe2708bbf4e75135293a8cd57e6ad7de029d400f738e2ff2e5c9403

SHA512
5b52f89a863e7c771f0df6e9495bc87bac356bea519a3db26b51ba6fa4b109b1a41ac8cf2af8f5d4edb0e030479cc3b9a60e8ae08ad4619dff09fbdced3ef9b2

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
7d94f52916ecca6d3c68eb13ab68a2ab

SHA1
f40da9aa43d2208ab2ca0c0792572588b5f54c02

SHA256
354b2baf1b5a08368077e053984063a0a94736e16d3d77aa259e7d212e50b92a

SHA512
c15e0655df3a745949926ff7b783b565a137916a3dfc52f15698643ac8405223259d2ae7641e4d4ab572f926cd0b192a500ef10349cab60b1e92da838497fd0c

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs

Filesize
909B

MD5
5cd30692f17b61420aa98c427810f70e

SHA1
e17d83df32233a59fd86e83ffdc0729b9144bd07

SHA256
37eba2a860d9e6b99bbcd05be3d7942efb165e2fe3d9448d904c8160804d9a8e

SHA512
2d860f5c8dac6425cb36e098cadef58d3b536b00ccb138d5ead10288814b4a9fceac57b5b312178fd793e0b61a1c2237b3c5b222b37a58d40330ef42aa6318b6

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs

Filesize
656B

MD5
7f894b391586389088bb129089160402

SHA1
4d23e47474f49013c608cb3d4f2d5f981e29b90d

SHA256
1c45959c14908a0cc7dbe1ac8c75e49824a6872686af4d6fc780672d56d8cc78

SHA512
104fa4b46ec303db099d82e558ec35328763d0af3e54a66d239d1382961f2b782bea4cddd48ff678e0e56de3e5ede8c1c468f1b45bdbdd1187a0128e85f80e47

Download Submit
memory/4536-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download