Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

GOLAYA-DEVOCHKA.exe

windows7-x64

8

GOLAYA-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    111s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-DEVOCHKA.exe

  • Size

    210KB

  • MD5

    e3ed299ce4982a14a6636310994345e3

  • SHA1

    3734d5ef93aa6a4f5c3f4052e4bd4e20a3218e6e

  • SHA256

    93797469edd71571dac60f7b6e6575904803e00f3ad8504bd341570f64f0bd3e

  • SHA512

    9d3c33a0d826406c359d5bda8ce79348d31540ba3cbed904806cb2aabba5275169f417e5c6e338b102e557c4e004fcecee1504e3b08bbc70eab5d579e42233e8

  • SSDEEP

    3072:EBAp5XhKpN4eOyVTGfhEClj8jTk+0h8xwNhQs+Cgw5CKHG:TbXE9OiTGfhEClq9hwCJJUG

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:1620
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops file in Drivers directory
      PID:4836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat
    Filesize

    1KB

    MD5

    2fb5748a38815def7a0db7ca7ac5bad6

    SHA1

    5cdf3f0c71398f249f0a5f4bf77a1875b2a88bf8

    SHA256

    f9196c6301a31804528095e78512bf4ffe5fce1d61b631918a85225e84af305d

    SHA512

    b55727706a27495a8027d5fe04146cd7871f7f56a88f985adee493629e70d8a1d37f075aacec4cb235e891d52296a7a443d26bf79230fd4492c3ab8a3b9c7d45

    Download Submit

  • C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua
    Filesize

    1KB

    MD5

    3c939845d4a469ddd0889a669d649720

    SHA1

    6afdc41966133da8346d01b6106b9ace9db07b56

    SHA256

    56dbb7ee03c11a918954494c9343d162e7bc2ecebaf1fec3311fd22dd637d67d

    SHA512

    9cd7a8c062e7314b1bbecbbc12996c9b413b58eafadf7600153ec7bf8e1f7fcbd7b2f4659636d5ef9fa7b23e10f7ef376c7ef24fd1090f8fc6bf524d296eb71b

    Download Submit

  • C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs
    Filesize

    1KB

    MD5

    3c939845d4a469ddd0889a669d649720

    SHA1

    6afdc41966133da8346d01b6106b9ace9db07b56

    SHA256

    56dbb7ee03c11a918954494c9343d162e7bc2ecebaf1fec3311fd22dd637d67d

    SHA512

    9cd7a8c062e7314b1bbecbbc12996c9b413b58eafadf7600153ec7bf8e1f7fcbd7b2f4659636d5ef9fa7b23e10f7ef376c7ef24fd1090f8fc6bf524d296eb71b

    Download Submit

  • C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro
    Filesize

    87B

    MD5

    2048e7f377827684952eac6638737664

    SHA1

    177f0e8e28f88204df60059d64c6ec3bc108a673

    SHA256

    e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

    SHA512

    624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    712e39a3a262f220a58df41e0680f7c0

    SHA1

    4285643061e7360290fa6614e9eb0bb4aa9ada03

    SHA256

    0d746d368cc41605f9de5e5cd84475398f4faac19e1e4306b16db2a339e21a86

    SHA512

    dcfc8073785d5f8d1f56a83f2d0dd9a7d68629330169202cc1fd53df6ab9dfce4ed3c6a5a531ada375241c089179d8f61f39a594a835e53ba6ed77df42d0f14d

    Download Submit