bc1532116c247d03810ad655366bc1808f9368297f665671535d613cce59a348

General

Target

GOLAYA-DEVOCHKA.exe
Size

180KB
MD5

63f222fa3dec54c99fa71bfbef798cab
SHA1

a6aa7dca45be30f5f1f0a2c0cf24c15637fe33f4
SHA256

47bfc569cb27c9596d81d144a9af37d5f378dcdaf73d6c416b86362739354b8f
SHA512

75c8086cd6dce1433e426f8f65d893130847b0ded224a4c6f26ebc6ee1ef9a33299da4f8902067697717b3cd8e4a855018929fb8d562c9581e79d023ae46e2df
SSDEEP

3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0h+tzYOuIPA:1bXE9OiTGfhEClq9dYpII

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4196	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	GOLAYA-DEVOCHKA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat	GOLAYA-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs	GOLAYA-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLAYA-DEVOCHKA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	GOLAYA-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1704	4964	GOLAYA-DEVOCHKA.exe	82
PID 4964 wrote to memory of 1704	4964	GOLAYA-DEVOCHKA.exe	82
PID 4964 wrote to memory of 1704	4964	GOLAYA-DEVOCHKA.exe	82
PID 4964 wrote to memory of 3984	4964	GOLAYA-DEVOCHKA.exe	84
PID 4964 wrote to memory of 3984	4964	GOLAYA-DEVOCHKA.exe	84
PID 4964 wrote to memory of 3984	4964	GOLAYA-DEVOCHKA.exe	84
PID 4964 wrote to memory of 4196	4964	GOLAYA-DEVOCHKA.exe	85
PID 4964 wrote to memory of 4196	4964	GOLAYA-DEVOCHKA.exe	85
PID 4964 wrote to memory of 4196	4964	GOLAYA-DEVOCHKA.exe	85

C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs"
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:3984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat

Filesize
2KB

MD5
56a64e3d2dabea79062ebd37c2695b87

SHA1
d3a7b4e9e3493c0c46bddb3973573511fc314ff9

SHA256
07ba63c69713fa2e4467e82eedc9c5eafd795ec3b85f1f38a9d3d4669cb4fba9

SHA512
260e82f73839361cc59a40c35ade0658d9ea22dd7b9af1a2937206bab77729ed9776e65765f521ee69cb6dde61d1dd8f0ba645ddc82440625f93b11c96928e7b

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs

Filesize
895B

MD5
86ec234776348de7a66694604c483902

SHA1
761269b17829cd99955ca44b9d198d26b3532a7e

SHA256
b04079e6d07e7788fb3ae4aade8eb6ea11de6e8582e724cb349be30551a0f5bc

SHA512
6dc3f64dd4194eb635a8e791599de7bcf52ab275b46efac9c1c90b28b9669adc8f552680dee6cafb5ebe9af1f5f42f0c31159472dfae8b0e879d17b9a05bc5fa

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs

Filesize
611B

MD5
49386cb3be62579eaa9d21cd8f528c7d

SHA1
c2f47fe4e27c663a62190ab454434a3b21070597

SHA256
7838e77610ed9f0affd067cd57c610ee4af33411b286b3a24ad60f18135d6289

SHA512
23d6cdd86d6c2767e43b8cc79814e6663f376c017694ecc16f971fac140650e02b11a45f247ac302d70489ea9918a365a589f45025581ebc2b9a73b120fb34d8

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot

Filesize
34B

MD5
aa5511a167a67e429a9fdf3ac25bce0e

SHA1
8ac961be922cdc3314ed342e809d68637e9ea1f2

SHA256
bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

SHA512
736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

Download Submit
memory/4964-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing