Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 22:30

General

  • Target

    9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe

  • Size

    932KB

  • MD5

    0f7bfe0b1d83928a4783c8073f91da70

  • SHA1

    6f1d5c1fd1deed3986d9a80c1ca6277e74e29a79

  • SHA256

    9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd

  • SHA512

    adf931a777d9353fdf153ad49fe37f0f4a5e309016492cad1d6a6478e5cc720d440c1e86700a1bef26adcd028989ae44b61340fd1cf7a63856412d78c73f5508

  • SSDEEP

    12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSdAunKMBlRP33:71/aGLDCM4D8ayGMZo8/EsKzpdM7j

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe
    "C:\Users\Admin\AppData\Local\Temp\9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\ProgramData\kolva.exe
      "C:\ProgramData\kolva.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1808

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Saaaalamm\Mira.h

    Filesize

    394KB

    MD5

    b33bdc899f9a976363a9ba342d7fe942

    SHA1

    fe8a7a50f71c08bfc8cd3c36e959e4885e893dbe

    SHA256

    dd93fd1c39fd7c65413d8a36219c41a495d33b2b382e03369784a1465d8274fe

    SHA512

    02fd04627557a23a8642f3df44fae04a609a617ec8602ea9976ad1739b18dc7197b55c849a453a4d2060824bc837154c219b435f19c66a6d1ec8ae2342fa5622

  • C:\ProgramData\Saaaalamm\Mira.h

    Filesize

    477KB

    MD5

    71e38cb8371fa644436922e0eee6040d

    SHA1

    6e9e897cb95fd8434891e87a584f5f1b9482cae2

    SHA256

    2c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4

    SHA512

    852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be

  • C:\ProgramData\kolva.exe

    Filesize

    409KB

    MD5

    6f8afa4750430239aa7a34cb46c12b2b

    SHA1

    a58d0eaa1bb556bd1920e928ea4a27d24f1f9d44

    SHA256

    7aa5c3b1e603b055c0613c7d91344358da54bd4ffaac24510a83927f32b81c6a

    SHA512

    7ebbaadae6360db632504d96643a961e88516fa476cfc182aca9567325827174879fab64143573e296f091c2196835d7ec7694d8c7a4805f374baecb3303ab83

  • C:\ProgramData\kolva.exe

    Filesize

    454KB

    MD5

    cacfe159ab07a77ae67255517e5445f3

    SHA1

    22df11c2fe1e24561ac0bb909f5642cf67143661

    SHA256

    c0cd5222bebb00a1fa13b91519ae949669f63b228f5ec30e334239e522aed9ae

    SHA512

    d7aef2114a07b34784e89ebaa3b544150e907f9ed6be9ab20c9d329b7df932447dc20f9b465bee53823419f86208f3718460090444cb456247c2d6497bd90d68

  • memory/4948-132-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/4948-137-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB