950d13c75c5d01ae585f31f81837e7baafb1961cd7de0bc625af8e1615bc6db1

General

Target

GOLAYA-TOPLESS.exe
Size

238KB
MD5

7710fc4fcea932679b40d31d409ae117
SHA1

bb5dfd38943356d6c1cff6b12d32f1cb54af6d35
SHA256

11abaf6a3b196588408e4d7fe8bf9a7d9b1a9b9bb3eeeb3dc2215be38f18eefa
SHA512

7fb1e792e8d2533a5aa4927971249d59f25fe2fe7067b9a1dbbb71aa1a5964bd7efb75822c73ffdef9ff118982e42b870c883229fa37eee228f3d11026574b06
SSDEEP

6144:MbXE9OiTGfhEClq9528TfdRoWRg+lN/JJUm:oU9XiuiJ8DRxl5

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2684	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	GOLAYA-TOPLESS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	GOLAYA-TOPLESS.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	GOLAYA-TOPLESS.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLAYA-TOPLESS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	GOLAYA-TOPLESS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2096	2520	GOLAYA-TOPLESS.exe	88
PID 2520 wrote to memory of 2096	2520	GOLAYA-TOPLESS.exe	88
PID 2520 wrote to memory of 2096	2520	GOLAYA-TOPLESS.exe	88
PID 2520 wrote to memory of 2684	2520	GOLAYA-TOPLESS.exe	91
PID 2520 wrote to memory of 2684	2520	GOLAYA-TOPLESS.exe	91
PID 2520 wrote to memory of 2684	2520	GOLAYA-TOPLESS.exe	91

C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-TOPLESS.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
f17d1131d70c2bdb19dd02e4e3ce329a

SHA1
b94bec3322500c7ed985b771fd69ad29e2727d18

SHA256
d3bb53de9670b8be634b53c3202850684fae7b1487d4556a7354dcafd37395e9

SHA512
36269e665653a40c995c3764e79e73e0de5e17ecf19327752b4a5a255d7f99b539e336d17beb66f32246243f0acf8bdbf2d0bc64ec53f2a9f12f24a7d5e2c005

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
97B

MD5
8100ec467959c6a5ced3ece884000147

SHA1
1e3554d4af71024cbf4b836e0e8e7b6106faa83e

SHA256
689b27df3c7df0dd0f92ddbc537535e4e539e8fbe2e13eff6f8360767761885d

SHA512
d7f7ad4527e9b988298e6aaa07a4f7443715ccba9ab2a9125bd5bf1823cd9ac599d2302cbf832e2edca277a847a137a3dbacbf85da2487afc9fc28572d61beef

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll

Filesize
1KB

MD5
468dcabec01fda55f1f75354f8bf22f5

SHA1
230fda1f911fe9628862d9799f1ef341691c75b9

SHA256
6a8569bf3bb20857b553e45a85be0e2160a67a499a51f2d9db68154304f1015f

SHA512
266a68124bddea1ff3410c3fe50b39ed94a5a02b7e72c15a79f4958256fe60a51f7c82b2b57484d86c897453f3c696d4ce61172145e39af6c40e3e7094703dfa

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b4434980101442bcce3e0b0f6d12d743

SHA1
1a68111eba898c9b337b1dcd8cd803e339df5335

SHA256
9e8f7c183744c28ee7e84f2804a12185b1d330e25a929dd71c1adee6f6dbfb93

SHA512
86fc9e287d669446159989e463774cba0a5105c5394231782f41fd61cb41647ab48b4d773de11e06538721c4b10900548ac328e38fbfac217927dd9f9fdf9941

Download Submit
memory/2520-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2520-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing