Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    82s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 16:17 UTC

General

  • Target

    GOLAYA-RUSSKAYA.exe

  • Size

    151KB

  • MD5

    aaf0874d953648fd0ad4e3c5feafadf4

  • SHA1

    7cb3b848597874b9cede25f50384b6a8fb7e6b52

  • SHA256

    0dd70b2100074429aaf6cd7e05fc1a59a99b966e7e9cece0bd2c480cf22af506

  • SHA512

    874e5dcbcba54fd42360a55b8856c6f4820bd688a2c6ed658a72fd20d359456e08bf020ab86b97027f62b8b08fe0b94ef09b6342ccb8afa695778b45cfeccb1f

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hihuknsA/ys79aWi:AbXE9OiTGfhEClq9Djn9/xgWi

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1620
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1616

Network

    No results found
  • 64.62.191.222:4321
    WScript.exe
    152 B
    3
  • 64.62.191.222:4321
    WScript.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\a_nu_ka_devochki.vbs

    Filesize

    951B

    MD5

    f2595768bf7424b0030864bca0386b09

    SHA1

    e1b8bbcc901deb8708d851bf67f81946a804f783

    SHA256

    8cbe82719aff3cceb24da590e35835dc85d8030208040c4f93e4b11e719b8d73

    SHA512

    3d0a3fe27855368db7f36e3318953651f837dde6716d9de6a37f902d612edce31da80462c7f52fb42d4a52092099cc5ca00f94e0d2061d7b1d29b4b526b6e9a3

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\davai_tantsui_veselei.ne_zalei

    Filesize

    61B

    MD5

    9404104eb96e6b369093f58ad743f20d

    SHA1

    5c35fe22aeccce534b5f643ea7aadfce960a273e

    SHA256

    ba512a6beb542413a6c772c73b6137295cfaff9ef6dc1dbd96846082d8175545

    SHA512

    1c6f904f27811589682e26be099a8827fbca6467d351973a2ce5d5b0aca2efc0c30cbb38f7b466558e7c1db7d381c8a4ec75cc88579ad364184ab1e3b1ff599b

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\i_ni_maromoiki.kiss

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\v_rite_serdtsa.bat

    Filesize

    4KB

    MD5

    b4f31c6ccfcad7e15bcca836ee0047dd

    SHA1

    8118abbfe00fa91c241a464c83595ccd7184b775

    SHA256

    75829affabf18b574faf07101723a1d3decca372dd641767123d381055bcea89

    SHA512

    fe40b18a7e9c996f99c45088b12c746e6ad624441d23ce47119d6881039dfd49b3d5556950fa9df69bd9e640ef362def6effdb7d5822205f730c9e4bf73f853a

  • C:\Program Files (x86)\tselovatsa v gubi stali\a potom\vot_eto_malshik.vbs

    Filesize

    336B

    MD5

    a36a38933baa8764f1a2ca6213774425

    SHA1

    e8bfcff2fa5bf5e96b7c4f5e78b2252efb3c9ee5

    SHA256

    fe25059fe3fcfbf036bc5c7597804bc8c056cac2b21bbd01e42958d0c76bc1fa

    SHA512

    b637ba599a11b3797fc2e506ec3b681e9ca50f81641ef7c30b7758babebcdea475649d8577f01f9426c7a6d7a7dde715476edd5ff03ff5b159f9aaf194765d2f

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    22cf8376bd7251da68d1ac0c6231e294

    SHA1

    d8388e49907f5a80b2be219665a7fe2607204bc4

    SHA256

    18bf7cfa28c572d4c2be927596d30c4e9c82e0a695963c1f7209eb5c6b119592

    SHA512

    541c1589234965c5a64e6ed7fdb332b5a065cc1e2d555928a51aec14aaf57793844fc63724a1878bd1abba8bb641d6879a5311454616cdbf7509e85dcd52e446

  • memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.