Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe
Resource
win10v2004-20220812-en
General
-
Target
9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe
-
Size
932KB
-
MD5
0f7bfe0b1d83928a4783c8073f91da70
-
SHA1
6f1d5c1fd1deed3986d9a80c1ca6277e74e29a79
-
SHA256
9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd
-
SHA512
adf931a777d9353fdf153ad49fe37f0f4a5e309016492cad1d6a6478e5cc720d440c1e86700a1bef26adcd028989ae44b61340fd1cf7a63856412d78c73f5508
-
SSDEEP
12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSdAunKMBlRP33:71/aGLDCM4D8ayGMZo8/EsKzpdM7j
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1808 kolva.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kolva.exe" kolva.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4948 wrote to memory of 1808 4948 9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe 60 PID 4948 wrote to memory of 1808 4948 9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe 60 PID 4948 wrote to memory of 1808 4948 9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe"C:\Users\Admin\AppData\Local\Temp\9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\ProgramData\kolva.exe"C:\ProgramData\kolva.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1808
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD5b33bdc899f9a976363a9ba342d7fe942
SHA1fe8a7a50f71c08bfc8cd3c36e959e4885e893dbe
SHA256dd93fd1c39fd7c65413d8a36219c41a495d33b2b382e03369784a1465d8274fe
SHA51202fd04627557a23a8642f3df44fae04a609a617ec8602ea9976ad1739b18dc7197b55c849a453a4d2060824bc837154c219b435f19c66a6d1ec8ae2342fa5622
-
Filesize
477KB
MD571e38cb8371fa644436922e0eee6040d
SHA16e9e897cb95fd8434891e87a584f5f1b9482cae2
SHA2562c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4
SHA512852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be
-
Filesize
409KB
MD56f8afa4750430239aa7a34cb46c12b2b
SHA1a58d0eaa1bb556bd1920e928ea4a27d24f1f9d44
SHA2567aa5c3b1e603b055c0613c7d91344358da54bd4ffaac24510a83927f32b81c6a
SHA5127ebbaadae6360db632504d96643a961e88516fa476cfc182aca9567325827174879fab64143573e296f091c2196835d7ec7694d8c7a4805f374baecb3303ab83
-
Filesize
454KB
MD5cacfe159ab07a77ae67255517e5445f3
SHA122df11c2fe1e24561ac0bb909f5642cf67143661
SHA256c0cd5222bebb00a1fa13b91519ae949669f63b228f5ec30e334239e522aed9ae
SHA512d7aef2114a07b34784e89ebaa3b544150e907f9ed6be9ab20c9d329b7df932447dc20f9b465bee53823419f86208f3718460090444cb456247c2d6497bd90d68