Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

GOLAYA-RUSSKAYA.exe

windows7-x64

8

GOLAYA-RUSSKAYA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-RUSSKAYA.exe

  • Size

    181KB

  • MD5

    b1d337c0c73cbea038b997d6abaddb31

  • SHA1

    4f4d45e58de9ee50b01e53846143427d942268ef

  • SHA256

    3fd1978f95b6bc6efab67e2b2b98b0c373cccc10757457f7735dc3b2a4f29720

  • SHA512

    3c25bd65e87fa431ab7ade6c61bbf825b18633d7bee97ca8061ae4d0f68c9715d14e6f411d83471daaab0a0f93927f90d3bfb93a5abacfce0cda342807a6c573

  • SSDEEP

    3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hR4udk4Rjb+o:WbXE9OiTGfhEClq9Xuvjbz

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\all.vbs"
    1⤵
    • Blocklisted process makes network request
    • Drops file in Drivers directory
    PID:2632
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\OnmywaytoHamburg.bat" "
    1⤵
    • Drops file in Drivers directory
    PID:2968
  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-RUSSKAYA.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\OnmywaytoHamburg.bat
    Filesize

    2KB

    MD5

    22ded7b6d88931639d5ec17f63ded2ec

    SHA1

    ef89258c3117d590a97ae89dc9a6a17406983018

    SHA256

    d400f954435e7d1d5fb092ae6e56e1a7902ba40103cf617057564aeab22fd380

    SHA512

    1b25ea6621f58049110a9a8e193a60b559670e876d92a96d389e11ee5ba3c42575749592e9764e15d297a13d6ed9b08199fc565e47053963267de9a56f07dd4b

    Download Submit

  • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\all.vbs
    Filesize

    911B

    MD5

    7d030cb549eadb46787e774b7d2349ea

    SHA1

    0ce746e7a1e8ce96250a6c9764aae24d20b8fe43

    SHA256

    f3fed63e84e70ca80081e4cf165b2d28c8088524c6b67a35c361834fecac59e5

    SHA512

    0798d7646a9bdeb70274c075d1c88cf60db6c09b8331df07a7fa40530b4c9538a77ce6d05abaa9d562ba6112dd22667baf9fbb6a9dc8641eb413b0667af9b8d5

    Download Submit

  • C:\Program Files (x86)\power inverters, radar\Tourism Whistler offers comprehensive\planningandinforma.tion
    Filesize

    74B

    MD5

    96121bfd46615e1d80c6d3152b79b2b1

    SHA1

    73f39abe1ddf9ea28656f2d1454ff6e5df357719

    SHA256

    aa6f7ca0b17424562d0926160849fe0a4dcee46f46254ac2cd90fc529ca0cd6a

    SHA512

    3dae396d5c336006ac0be6362e16f66b9f771c14b115461b7a76f71de181cfc80a2983664ebc5ad6fac44e4702f1a0dbf98b774f7bc884a7dff5617755d821f2

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    25ee27baa31c59fdf6cf5d18955ef985

    SHA1

    51d4725afa6d997cb7347c60a7d17485a8fb2ea7

    SHA256

    75daf3b3c78bc2038351bee72d6036edf869f7106da7366722b1cd03f26f195d

    SHA512

    8a4e1f971b8158db5df7b24b8f0d317d2397209c21ab07c6e6014bc767bbc95e32093fb59e2e67369687c9ed024ff6d354652d02424a8050500a410369abe12e

    Download Submit

  • memory/1184-42-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1184-47-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download