950d13c75c5d01ae585f31f81837e7baafb1961cd7de0bc625af8e1615bc6db1

General

Target

GOLAYA-TOPLESS.exe
Size

238KB
MD5

7710fc4fcea932679b40d31d409ae117
SHA1

bb5dfd38943356d6c1cff6b12d32f1cb54af6d35
SHA256

11abaf6a3b196588408e4d7fe8bf9a7d9b1a9b9bb3eeeb3dc2215be38f18eefa
SHA512

7fb1e792e8d2533a5aa4927971249d59f25fe2fe7067b9a1dbbb71aa1a5964bd7efb75822c73ffdef9ff118982e42b870c883229fa37eee228f3d11026574b06
SSDEEP

6144:MbXE9OiTGfhEClq9528TfdRoWRg+lN/JJUm:oU9XiuiJ8DRxl5

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	3032	WScript.exe
5	3032	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLAYA-TOPLESS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2372	2424	GOLAYA-TOPLESS.exe	30
PID 2424 wrote to memory of 2372	2424	GOLAYA-TOPLESS.exe	30
PID 2424 wrote to memory of 2372	2424	GOLAYA-TOPLESS.exe	30
PID 2424 wrote to memory of 2372	2424	GOLAYA-TOPLESS.exe	30
PID 2424 wrote to memory of 3032	2424	GOLAYA-TOPLESS.exe	32
PID 2424 wrote to memory of 3032	2424	GOLAYA-TOPLESS.exe	32
PID 2424 wrote to memory of 3032	2424	GOLAYA-TOPLESS.exe	32
PID 2424 wrote to memory of 3032	2424	GOLAYA-TOPLESS.exe	32

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
f17d1131d70c2bdb19dd02e4e3ce329a

SHA1
b94bec3322500c7ed985b771fd69ad29e2727d18

SHA256
d3bb53de9670b8be634b53c3202850684fae7b1487d4556a7354dcafd37395e9

SHA512
36269e665653a40c995c3764e79e73e0de5e17ecf19327752b4a5a255d7f99b539e336d17beb66f32246243f0acf8bdbf2d0bc64ec53f2a9f12f24a7d5e2c005

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
97B

MD5
8100ec467959c6a5ced3ece884000147

SHA1
1e3554d4af71024cbf4b836e0e8e7b6106faa83e

SHA256
689b27df3c7df0dd0f92ddbc537535e4e539e8fbe2e13eff6f8360767761885d

SHA512
d7f7ad4527e9b988298e6aaa07a4f7443715ccba9ab2a9125bd5bf1823cd9ac599d2302cbf832e2edca277a847a137a3dbacbf85da2487afc9fc28572d61beef

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs

Filesize
1KB

MD5
468dcabec01fda55f1f75354f8bf22f5

SHA1
230fda1f911fe9628862d9799f1ef341691c75b9

SHA256
6a8569bf3bb20857b553e45a85be0e2160a67a499a51f2d9db68154304f1015f

SHA512
266a68124bddea1ff3410c3fe50b39ed94a5a02b7e72c15a79f4958256fe60a51f7c82b2b57484d86c897453f3c696d4ce61172145e39af6c40e3e7094703dfa

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
07747e26ea3ffd06b1e9825864be253c

SHA1
97b8ae03f2a4835ba0cef297bd1582aa2eebb983

SHA256
13e54f2ba2925d259803f92c44c26c3b1739f6340087475159bb140eed3a2f32

SHA512
619747f33df62d66437c874ba60ed33c8a178127ea763388b816bf7b3e332e94c612f6360fd23e008256c73b70b4660278578c2758ad09ae544e10736f8d6b8d

Download Submit
memory/2424-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2424-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing