Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    128s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 05:48

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    151KB

  • MD5

    b779c9d9d65de1d790fcf370accedf6d

  • SHA1

    e5f3899a534862bd2f0d4e5d621204963da70206

  • SHA256

    0d875c05ddb62f0fac013ced4aca623d2cc48f4d48ce371db616fa11a9f3a13c

  • SHA512

    901abc68bce172a06b2a98e09fd0c5282ccd191c24844078aaa98f358266a0dca96b4859b079fbfabbb1a6113db961f3c8149dc9b37f78e64ddf97d9196cb344

  • SSDEEP

    3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiPQZJDoXlYPut6rUI1:AbXE9OiTGfhEClq99QZJDo1Yfr

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:3088
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\nenuzni\poqflgodjg\blesk_glag.golo

    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

  • C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs

    Filesize

    1021B

    MD5

    bda75a52bea3d6740c753641d2fc5abc

    SHA1

    2a2a12fd4b0a95ce8bde5d7b6c13449055f514ba

    SHA256

    d2306a8d871f6e4c59a55e03fba55fd1f8806eab76ed9bf06be4938aaea56afd

    SHA512

    e1b6d52df360e4d235ff301f04e49bbc4384e4516171e2e9d81ef19b1a28b883e07da79bb90d980e0d112b443f0a7b891c16384a39f955f5567e45dde2ff10ea

  • C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat

    Filesize

    3KB

    MD5

    d45e4538210a2a13c93e6ca1de4f939e

    SHA1

    47b682d8eff21d7b8ed43d2757b7a9dc8a09fe45

    SHA256

    cdcb19f3de7ac821b9e591822b4a677282e97e8e189d7fe8b2abd9ef1ee08318

    SHA512

    10552cfad2ac9f379f07c30253f15eab62c6e10e1558a763af6f4c8b6960f4520905c5bb96a47206bb0df3d45e4edf4825fc7be294b5b0498f6ecfb8b5d9a66b

  • C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs

    Filesize

    275B

    MD5

    334922eff7210ece6d3074ce23dd3ce7

    SHA1

    d94c5a89d90e0e4762b070f24fd12044b1d23476

    SHA256

    fe50ae347013619a323b3e32637b9efac4258cfe21468d796ecb9aeeead993b3

    SHA512

    2716d2daea2e8a940c50a3994b34cb46891a7d29c6075da8643bf96b1f4b3db5372a74c01ac0fb35aab0b88dd7ba5bd40c5db87419c72fa4c55b1b057b086d4f

  • C:\Program Files (x86)\nenuzni\poqflgodjg\stulandos.dik

    Filesize

    64B

    MD5

    d80caa2c562946ef8b3becfd0c2247b1

    SHA1

    35a455118db19483352739cf7034c75d6c5826ee

    SHA256

    05fe5ddda80128a2b7073527cdeb4bf4e0434e636af7797a577653966ce25bf9

    SHA512

    5bc110f45d078135c75df9caffea38f524b4bf816cdba53cafa63c7079c7278c8decc7dc124c768bf00662ce9ea2783823a909be740e1440b7051d430a048cc2

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    e4052dfb3eb9ed5a08c840ef4c94dae0

    SHA1

    a0c8e665659f19d42ac2752b54f735fafdc91178

    SHA256

    21dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0

    SHA512

    f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79