Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

RUSSKAYA-GOLAYA.exe

windows7-x64

8

RUSSKAYA-GOLAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RUSSKAYA-GOLAYA.exe

  • Size

    151KB

  • MD5

    929249810766a10968b94e8a81612a8c

  • SHA1

    a0feddd63c524bf302822a8e6aaaca3b3778905c

  • SHA256

    e8d096ff9607f10651e1a3f1f472e49221bd32e2a3d1024ea163328b3df4dcc0

  • SHA512

    289af9dd00b9f00faab0b019e4123c2f59efda915b8bfb0129f4e6e99cc44c5a564c951989d2553397ee57cb33835f07ad4e239ae67f97d39bf4abeaceb142e7

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi6uGoo4wFe:AbXE9OiTGfhEClq93dSe

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\lichnost\kolombo\squirting.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lichnost\kolombo\globalki.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:2752
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:3444

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\lichnost\kolombo\demokrat.vbs
    Filesize

    1KB

    MD5

    a5f3e6c751d3a9b4fd3b7e770a28dad9

    SHA1

    0c066c446e50b33fa92542d3ba52d9e19f9fee42

    SHA256

    7e9d60015fa4eb7eb778faf7e93d884b8a34f1c4ae90c50731c5490743bf50d8

    SHA512

    fb842ed3a2f97de0ad51b3920faf40a6064277e93a3e25df1ae6716041a18a63a00c5d2ebf8c8303bdec583ee3eef954c9267a4841f4313924f4e2193f6b4026

    Download Submit

  • C:\Program Files (x86)\lichnost\kolombo\globalki.vbs
    Filesize

    269B

    MD5

    9a52d4ce90c3a194f4f08720fd82c011

    SHA1

    9417fbad36d2b4d6ca189f856edf03cdf4d59d2a

    SHA256

    acafe550fcd9300a5896e975e5b9529d29a748a057cc170791c1e936bfe86f39

    SHA512

    8af852a0f9f66fe1e3973f07cbf6cb260eb225c7c8aa1a40e4c6c3b2629058ae4b4bf75a66a652b852869e757449774749f6ff6d10d162e1fa9bb17d4018fbfe

    Download Submit

  • C:\Program Files (x86)\lichnost\kolombo\kontrol.urv
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\lichnost\kolombo\perednyaya.stn
    Filesize

    72B

    MD5

    6cddddd8b0f363a86f561657954a35fb

    SHA1

    4907494320bfe2df258e2d69b1043c29c832ead5

    SHA256

    d910893fcdb753a0a65965037f87f87d3614b16e60e7065f0d7087022819309c

    SHA512

    8daf2ffb0ad6900b24d96f88e37ec3101c61737e3060e522e41c207797190d27d3cb86d7407b24a9df9f7544085e13d8f94e90ff1370cdf6c1f0c47a53818900

    Download Submit

  • C:\Program Files (x86)\lichnost\kolombo\squirting.bat
    Filesize

    3KB

    MD5

    a699621849f277d5c0b55e41e0f99115

    SHA1

    848a67613851032f51bd1f6cd7da9a79e399f610

    SHA256

    c18d6e710d4e07f7d6e34def7e3b201b471e49711a8024dcce848968a4120e52

    SHA512

    a91593444dd9ec8ea3648a463a9976a3042e6df4ca105b81c88b8d1d291ecbdc4915062a2ad862c5fc25923647f0f093dcd1dfe103e3003389212235caf36d00

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    e4052dfb3eb9ed5a08c840ef4c94dae0

    SHA1

    a0c8e665659f19d42ac2752b54f735fafdc91178

    SHA256

    21dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0

    SHA512

    f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79

    Download Submit