Overview

overview

8

Static

static

3

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 02:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    180KB

  • MD5

    63f222fa3dec54c99fa71bfbef798cab

  • SHA1

    a6aa7dca45be30f5f1f0a2c0cf24c15637fe33f4

  • SHA256

    47bfc569cb27c9596d81d144a9af37d5f378dcdaf73d6c416b86362739354b8f

  • SHA512

    75c8086cd6dce1433e426f8f65d893130847b0ded224a4c6f26ebc6ee1ef9a33299da4f8902067697717b3cd8e4a855018929fb8d562c9581e79d023ae46e2df

  • SSDEEP

    3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0h+tzYOuIPA:1bXE9OiTGfhEClq9dYpII

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat" "
      2⤵
      • Drops file in Drivers directory
      • System Location Discovery: System Language Discovery
      PID:4776
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs"
      2⤵
      • Drops file in Drivers directory
      • System Location Discovery: System Language Discovery
      PID:1504
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:4972

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat
          Filesize

          2KB

          MD5

          56a64e3d2dabea79062ebd37c2695b87

          SHA1

          d3a7b4e9e3493c0c46bddb3973573511fc314ff9

          SHA256

          07ba63c69713fa2e4467e82eedc9c5eafd795ec3b85f1f38a9d3d4669cb4fba9

          SHA512

          260e82f73839361cc59a40c35ade0658d9ea22dd7b9af1a2937206bab77729ed9776e65765f521ee69cb6dde61d1dd8f0ba645ddc82440625f93b11c96928e7b

          Download Submit

        • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs
          Filesize

          895B

          MD5

          86ec234776348de7a66694604c483902

          SHA1

          761269b17829cd99955ca44b9d198d26b3532a7e

          SHA256

          b04079e6d07e7788fb3ae4aade8eb6ea11de6e8582e724cb349be30551a0f5bc

          SHA512

          6dc3f64dd4194eb635a8e791599de7bcf52ab275b46efac9c1c90b28b9669adc8f552680dee6cafb5ebe9af1f5f42f0c31159472dfae8b0e879d17b9a05bc5fa

          Download Submit

        • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs
          Filesize

          611B

          MD5

          49386cb3be62579eaa9d21cd8f528c7d

          SHA1

          c2f47fe4e27c663a62190ab454434a3b21070597

          SHA256

          7838e77610ed9f0affd067cd57c610ee4af33411b286b3a24ad60f18135d6289

          SHA512

          23d6cdd86d6c2767e43b8cc79814e6663f376c017694ecc16f971fac140650e02b11a45f247ac302d70489ea9918a365a589f45025581ebc2b9a73b120fb34d8

          Download Submit

        • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot
          Filesize

          34B

          MD5

          aa5511a167a67e429a9fdf3ac25bce0e

          SHA1

          8ac961be922cdc3314ed342e809d68637e9ea1f2

          SHA256

          bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

          SHA512

          736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          c0805e6fff9d30c65b91bc9284beac8e

          SHA1

          45456e27d6632159ed7e4403caa1a16721c3b603

          SHA256

          53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

          SHA512

          34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

          Download Submit

        • memory/5028-40-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download