Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 21:51
Static task
static1
Behavioral task
behavioral1
Sample
GOLAYA-BABE.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
GOLAYA-BABE.exe
Resource
win10v2004-20231215-en
General
-
Target
GOLAYA-BABE.exe
-
Size
149KB
-
MD5
ce2c59183c953db0a928dd2b35617782
-
SHA1
57a06ae1bf3e53eb433370e153d59e955673d3ce
-
SHA256
a9c84d69a5b984ad536e841e7862be252607c6e58fbc08865dff980309013125
-
SHA512
5668235ffd3fee5ccfa70afc0b11a0fe0ce5290015ea6478ca3c67d88563e1fb935d43ff1ec1a22cf657eb2e75b55aec623bf949c8473fa4271ff573a5cb3a96
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hi5KoCWyekax:AbXE9OiTGfhEClq9+o2e5
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\inown\aboutmyside\bautmyside.txt GOLAYA-BABE.exe File created C:\Program Files (x86)\inown\aboutmyside\Uninstall.ini GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\inown\aboutmyside\slonik.pokakal GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\inown\aboutmyside\lit.vbs GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\inown\aboutmyside\infocars.vbs GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\inown\aboutmyside\Uninstall.exe GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\inown\aboutmyside\nerabotaert.life GOLAYA-BABE.exe File opened for modification C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs GOLAYA-BABE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2756 2532 GOLAYA-BABE.exe 20 PID 2532 wrote to memory of 2756 2532 GOLAYA-BABE.exe 20 PID 2532 wrote to memory of 2756 2532 GOLAYA-BABE.exe 20 PID 2532 wrote to memory of 2756 2532 GOLAYA-BABE.exe 20 PID 2756 wrote to memory of 2648 2756 cmd.exe 21 PID 2756 wrote to memory of 2648 2756 cmd.exe 21 PID 2756 wrote to memory of 2648 2756 cmd.exe 21 PID 2756 wrote to memory of 2648 2756 cmd.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"C:\Users\Admin\AppData\Local\Temp\GOLAYA-BABE.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\inown\aboutmyside\podkluchidruga.bat" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\infocars.vbs"3⤵PID:2648
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\inown\aboutmyside\ebanettkebanet.vbs"2⤵PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
818B
MD5302a03c9ba9820a52adf3b5ee5462421
SHA168143e5c8c9f915f6191fc4c6f38220498ca0042
SHA2563ce49b9d89a945c16926ff75af1330051204878644b45dc2c4e0cb883ffae176
SHA51212b4c2c936f535b53b5198e9222fe2ac69aae6d53ea35cc8200f7044c8d77a5f4793faea4e0d84544fe60fc942c4b0f62981a15390d8049ec4d939ce92ce0cc0
-
Filesize
334B
MD54dac2c8699edc17fbb7036ca3ec636b6
SHA1e8a316283f5ad515a4163395442556aa41c929c7
SHA2566e0b74f4db571a5acb966ee1dd836c61b723a59ccc31aeff28e678068b43fbdf
SHA5124f0dc350e1e465ec609ff44e3618a57e16af6f7221072965afd70c00fe778831b869677cfc321c3bcd411885946ed486b88b5efca68729ad6bb0e0ba32932a10
-
Filesize
50B
MD52fbbd6510fe26068e7e81bbc7c185025
SHA1804798609e017cf1aa1cdf39cc823f2758728301
SHA25660cd1ca9ed0335145319ed37d63337ae5de58788e6eccf73e6f91d370f9d6240
SHA5126e006158333d5f5b8f5ba46b921b52399866256a50fe14f340c5b44ee44f7bef096ca38f3afe3717272d5b731e041e4f656ad98c1c46ad26cdbed5d6c524b325
-
Filesize
3KB
MD59fc77ce2b3812122bc9a0bd79e4e91c4
SHA1dd6141af0796835d3e1ac5da73d0c4bfcc98f2a7
SHA256105764a33c276aa8bba1b6f5e5d766f5555be9d76514333c1a0f7091c2a51fe5
SHA51200724ebf25c8750410038a773050937abadd26fa52d04802bbecbb7297056677cb958cb33154d667bfc56e01fa8770147c31b1e2fa97cce967a2c365a5ea22ce
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
1KB
MD544ccd2e0f82c735fbef30c341d6bfc10
SHA18cc305f7f8fff401380175ae0cc7d0df99b83373
SHA256d29b19381fbf3494195232c63a36e6a9d38de4e2db3e80ae3f007a36e9674db3
SHA5128627b9c13415f5d9c917692281f2a33aa4286f0a50b0d08933ca663cd6cc12fb17256a2270ff283dd497661001b6c06f3d16e889215821659fa24ede367dfe07