Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 17:32
Static task
static1
Behavioral task
behavioral1
Sample
RUSSKAYA-GOLAYA.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RUSSKAYA-GOLAYA.exe
Resource
win10v2004-20220901-en
General
-
Target
RUSSKAYA-GOLAYA.exe
-
Size
182KB
-
MD5
a61b567cf0d6215a9816a9655525e2bc
-
SHA1
481add92cc4cf0ba9954de2ba4daf8537202ac7d
-
SHA256
f5996699457c022aee006070f20af5d74679f2c38e2a0a77a12806a9f3489077
-
SHA512
c5b6920896d728042e9f9f67d60430ef0fcbfc9109b0b60473288cd4c7439a9d335c31cc6a0c0a7d439a4bef210bb6d0cfc880ede1da02f3a28f2b1770e78153
-
SSDEEP
3072:QBAp5XhKpN4eOyVTGfhEClj8jTk+0h5TlWn6:HbXE9OiTGfhEClq9IlW6
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 14 2136 WScript.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation RUSSKAYA-GOLAYA.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.klm RUSSKAYA-GOLAYA.exe File opened for modification C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.klm RUSSKAYA-GOLAYA.exe File created C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs cmd.exe File opened for modification C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs cmd.exe File created C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat RUSSKAYA-GOLAYA.exe File opened for modification C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat RUSSKAYA-GOLAYA.exe File created C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff RUSSKAYA-GOLAYA.exe File opened for modification C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff RUSSKAYA-GOLAYA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings RUSSKAYA-GOLAYA.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5000 wrote to memory of 536 5000 RUSSKAYA-GOLAYA.exe 81 PID 5000 wrote to memory of 536 5000 RUSSKAYA-GOLAYA.exe 81 PID 5000 wrote to memory of 536 5000 RUSSKAYA-GOLAYA.exe 81 PID 5000 wrote to memory of 2136 5000 RUSSKAYA-GOLAYA.exe 83 PID 5000 wrote to memory of 2136 5000 RUSSKAYA-GOLAYA.exe 83 PID 5000 wrote to memory of 2136 5000 RUSSKAYA-GOLAYA.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"C:\Users\Admin\AppData\Local\Temp\RUSSKAYA-GOLAYA.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat" "2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
PID:536
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs"2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
PID:2136
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57943d0b7f844abda81e1060a0a58d25a
SHA15b076824df056229a97ce88e3c410a786efd3593
SHA25690113a92bd6c6ca365d03a8acd81684751bfaa52de064badab771b7e115e6acb
SHA5120e22276d78bd645828c88fc19832c6b13113f742b149bfc11efda07f2a4cba9ffa9db12ed2e6c4d982c0ea5e521863f437d47bb54f1d57872fb99b7d8071cb78
-
Filesize
1KB
MD5b6ab38961be299354ef66e42ef9945a4
SHA1386b6a80ca46990bc53b610cbd76f1f69c79f7c1
SHA256ded723036ee22227512a6de199afe531aa5fc01950b6fac806e0ff744f279d0d
SHA512f9f87add71ced532a73ca6f3396bc2c9d8893d602e8ff8f1afe184ef69fc19d8bfef1e990a866f0e34bcdef7c91889b858b7a31812d008e4e3a55c64bad80462
-
Filesize
1KB
MD5b6ab38961be299354ef66e42ef9945a4
SHA1386b6a80ca46990bc53b610cbd76f1f69c79f7c1
SHA256ded723036ee22227512a6de199afe531aa5fc01950b6fac806e0ff744f279d0d
SHA512f9f87add71ced532a73ca6f3396bc2c9d8893d602e8ff8f1afe184ef69fc19d8bfef1e990a866f0e34bcdef7c91889b858b7a31812d008e4e3a55c64bad80462
-
C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff
Filesize87B
MD52048e7f377827684952eac6638737664
SHA1177f0e8e28f88204df60059d64c6ec3bc108a673
SHA256e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688
SHA512624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916