Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 05:48
Static task
static1
Behavioral task
behavioral1
Sample
GOLAYA-SEXY.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GOLAYA-SEXY.exe
Resource
win10v2004-20220812-en
General
-
Target
GOLAYA-SEXY.exe
-
Size
151KB
-
MD5
b779c9d9d65de1d790fcf370accedf6d
-
SHA1
e5f3899a534862bd2f0d4e5d621204963da70206
-
SHA256
0d875c05ddb62f0fac013ced4aca623d2cc48f4d48ce371db616fa11a9f3a13c
-
SHA512
901abc68bce172a06b2a98e09fd0c5282ccd191c24844078aaa98f358266a0dca96b4859b079fbfabbb1a6113db961f3c8149dc9b37f78e64ddf97d9196cb344
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiPQZJDoXlYPut6rUI1:AbXE9OiTGfhEClq99QZJDo1Yfr
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 19 3088 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation GOLAYA-SEXY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\blesk_glag.golo GOLAYA-SEXY.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\stulandos.dik GOLAYA-SEXY.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs GOLAYA-SEXY.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\Uninstall.exe GOLAYA-SEXY.exe File created C:\Program Files (x86)\nenuzni\poqflgodjg\Uninstall.ini GOLAYA-SEXY.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\ne_zabudu_nikogda.ico GOLAYA-SEXY.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\kakiento_nmomenti.ne_trudni.v.vozd GOLAYA-SEXY.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs GOLAYA-SEXY.exe File opened for modification C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat GOLAYA-SEXY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings GOLAYA-SEXY.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5064 wrote to memory of 2348 5064 GOLAYA-SEXY.exe 81 PID 5064 wrote to memory of 2348 5064 GOLAYA-SEXY.exe 81 PID 5064 wrote to memory of 2348 5064 GOLAYA-SEXY.exe 81 PID 2348 wrote to memory of 3088 2348 cmd.exe 83 PID 2348 wrote to memory of 3088 2348 cmd.exe 83 PID 2348 wrote to memory of 3088 2348 cmd.exe 83 PID 5064 wrote to memory of 2680 5064 GOLAYA-SEXY.exe 84 PID 5064 wrote to memory of 2680 5064 GOLAYA-SEXY.exe 84 PID 5064 wrote to memory of 2680 5064 GOLAYA-SEXY.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\nenuzni\poqflgodjg\posssikuski.bat" "2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\sni_moi_o_tebe.vbs"3⤵
- Blocklisted process makes network request
PID:3088
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\nenuzni\poqflgodjg\ostanovlus_koad.vbs"2⤵
- Drops file in Drivers directory
PID:2680
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
1021B
MD5bda75a52bea3d6740c753641d2fc5abc
SHA12a2a12fd4b0a95ce8bde5d7b6c13449055f514ba
SHA256d2306a8d871f6e4c59a55e03fba55fd1f8806eab76ed9bf06be4938aaea56afd
SHA512e1b6d52df360e4d235ff301f04e49bbc4384e4516171e2e9d81ef19b1a28b883e07da79bb90d980e0d112b443f0a7b891c16384a39f955f5567e45dde2ff10ea
-
Filesize
3KB
MD5d45e4538210a2a13c93e6ca1de4f939e
SHA147b682d8eff21d7b8ed43d2757b7a9dc8a09fe45
SHA256cdcb19f3de7ac821b9e591822b4a677282e97e8e189d7fe8b2abd9ef1ee08318
SHA51210552cfad2ac9f379f07c30253f15eab62c6e10e1558a763af6f4c8b6960f4520905c5bb96a47206bb0df3d45e4edf4825fc7be294b5b0498f6ecfb8b5d9a66b
-
Filesize
275B
MD5334922eff7210ece6d3074ce23dd3ce7
SHA1d94c5a89d90e0e4762b070f24fd12044b1d23476
SHA256fe50ae347013619a323b3e32637b9efac4258cfe21468d796ecb9aeeead993b3
SHA5122716d2daea2e8a940c50a3994b34cb46891a7d29c6075da8643bf96b1f4b3db5372a74c01ac0fb35aab0b88dd7ba5bd40c5db87419c72fa4c55b1b057b086d4f
-
Filesize
64B
MD5d80caa2c562946ef8b3becfd0c2247b1
SHA135a455118db19483352739cf7034c75d6c5826ee
SHA25605fe5ddda80128a2b7073527cdeb4bf4e0434e636af7797a577653966ce25bf9
SHA5125bc110f45d078135c75df9caffea38f524b4bf816cdba53cafa63c7079c7278c8decc7dc124c768bf00662ce9ea2783823a909be740e1440b7051d430a048cc2
-
Filesize
1KB
MD5e4052dfb3eb9ed5a08c840ef4c94dae0
SHA1a0c8e665659f19d42ac2752b54f735fafdc91178
SHA25621dbd76790026b47dcfe82b7e974474fce88c5e8ef55848e4ea6492923419ad0
SHA512f892629aabdea21bf617359c5e3da17eaf5f528f67045506eab46d1677f0ac5935777eb14e60b9ab61566eba2239255a89d4752ab41ee27ed03fae7982d4ab79