Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
PHOTO-GOLAYA.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PHOTO-GOLAYA.exe
Resource
win10v2004-20231215-en
General
-
Target
PHOTO-GOLAYA.exe
-
Size
149KB
-
MD5
5e337da135d63887a756e2cba5fcc0c8
-
SHA1
c367eaa24241c19410bbbe2ff4d2c39d4cdd1990
-
SHA256
d9d056c7d128ec893e43a4c7b315e9437629f851f51aee6d366c1022a48bdff1
-
SHA512
54b3a00c9317c2d5ea338a2450e655dd5c822531c97bb8cd164272a10650421676c1ea9634de1ed2c9454885b04653773235c605f95befb7d848eef6779c0172
-
SSDEEP
3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hijeF9RCyllP:AbXE9OiTGfhEClq949vD
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 34 1096 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation PHOTO-GOLAYA.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Produc\New\poppets.txt PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\Produc\New\nuashks.bat PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\Produc\New\nadopilitsa.nabazu PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\Produc\New\nadopilitsa.vbs cmd.exe File created C:\Program Files (x86)\Produc\New\nadopilitsa.vbs cmd.exe File opened for modification C:\Program Files (x86)\Produc\New\nevedomaya.hernya PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\Produc\New\samisok.vbs PHOTO-GOLAYA.exe File opened for modification C:\Program Files (x86)\Produc\New\Uninstall.exe PHOTO-GOLAYA.exe File created C:\Program Files (x86)\Produc\New\Uninstall.ini PHOTO-GOLAYA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings PHOTO-GOLAYA.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2912 1764 PHOTO-GOLAYA.exe 94 PID 1764 wrote to memory of 2912 1764 PHOTO-GOLAYA.exe 94 PID 1764 wrote to memory of 2912 1764 PHOTO-GOLAYA.exe 94 PID 2912 wrote to memory of 1096 2912 cmd.exe 96 PID 2912 wrote to memory of 1096 2912 cmd.exe 96 PID 2912 wrote to memory of 1096 2912 cmd.exe 96 PID 1764 wrote to memory of 796 1764 PHOTO-GOLAYA.exe 97 PID 1764 wrote to memory of 796 1764 PHOTO-GOLAYA.exe 97 PID 1764 wrote to memory of 796 1764 PHOTO-GOLAYA.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Produc\New\nuashks.bat" "2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\nadopilitsa.vbs"3⤵
- Blocklisted process makes network request
PID:1096
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Produc\New\samisok.vbs"2⤵
- Drops file in Drivers directory
PID:796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269B
MD5f8e76085c4bab58dcb161028c3aae9c9
SHA1764af0a064b08e40beeab421df76d3c7fb389c75
SHA256e7388abfc5e55e53c9a06f74e6000107b15641c3d99fe89d9f990584049b4ad6
SHA5127c557fdee8163233be08a494955b02af789d37fefc5429b966079c83950f4b79ec50c7f521ba0cc72cb762c300ab96ce72c1bc90a3eca6eeed67e1a2614a8b61
-
Filesize
48B
MD57215ed14e21d41517551593a906dfa9e
SHA1572ec6424f46b19e5b1a0ebcb58df8efadaa37aa
SHA256248f4f03a3bac68d3f2231e72dcdb82d16ba4a49631306e231200c36a4d7d6b6
SHA512c81fcc628b6178017cacdbf7c57b5bd3304ea1e6a43b4c8164082f6d701f7f03c16d3026b011819ee76cb4609ca8c00e70566382cd839fba9fe714e1d0a1f7e5
-
Filesize
3KB
MD5c151e8a63db1332daeaf336c6767f918
SHA13c41d44604d19b3ce2bb9a1971a94ebf2a1f50bd
SHA256c9f0675570ce4487e3b60e2b3e5433ad76c0ec354a41d8135fb0318e40f39e95
SHA512bb483dc05f7eeb6e6a73c76d6bf95e1e322b609d759dee27c5e21b682d8c249b3e60cc25f7f47ee152f0b8eccea90252daed9235153e3258423221c233f80c44
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
740B
MD5152fab0ac0684c4b7383883ecb4c42f7
SHA1dc2487afd2302751686b5f7af5ec65ecd05c75c5
SHA256d28c1370bce14ca6aa38e81d6c6deb3e43b04849bead1795d940c1e59f2cde4d
SHA512da52cafc25583799b8138044cfd25f0cc66c7d01b1cf369b8960c1865d9a6a348be0ee90b417ad72455f3919f7553ef4db971c7ff56855b40bf4d772ba8efee3
-
Filesize
1KB
MD5d9a93296f8c62ab96271667c72d7a3b3
SHA1abcf5a6ed773cfc978fc2176138778ad406c188a
SHA256f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993
SHA512f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02