Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

GOLAYA-DEVOCHKA.exe

windows7-x64

8

GOLAYA-DEVOCHKA.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-DEVOCHKA.exe

  • Size

    180KB

  • MD5

    2e7d20079b41b69b3b16ecbd895be189

  • SHA1

    c63b1f1a9ec96ca7b0fc0d92bc082593e1df85e0

  • SHA256

    8aac418dfae104c626385ba620705f3d8f83ad9753020474a7fd41db3e808fc6

  • SHA512

    ab1326e5b177a7d32f7d97c0d3efce235df0da4d2b2faf40528fe399e0adccb6e7c67c2aac07f15294be6c23f12b966c9fc3135d9b8f561e99f10a5ad98532e9

  • SSDEEP

    3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0h6eXmUS:+bXE9OiTGfhEClq9deXY

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-DEVOCHKA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:2888
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1208
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:4580
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1380 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat
      Filesize

      1KB

      MD5

      9d139d064933d01879a44984a43c0346

      SHA1

      81f546bb8d23151c07748f49d6d4f6e46bc3aca0

      SHA256

      2dcfbfd5c623fe341803f8be6ef66be4403af553c9312d46394e68f376c65467

      SHA512

      7765c000154d7af286dd8615640693b3be11f89f9d8001fa635c1e4cb12163f4dd97b481430f53b766fd1e551c6ff76499414732a51bd7f8a406d4c7ed669e8d

      Download Submit

    • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs
      Filesize

      832B

      MD5

      df76155dbd96ed3fba4dae39b11d380a

      SHA1

      b92763f66c212d74ce657d7063b12f037f71911f

      SHA256

      cec520a813dad4bbb36f79d09034dbd2a27fd42d6a26a3697c781600e8b179d7

      SHA512

      6f97a45b6042a1654c85bc9e2c2e6e65c94345a7e77dac442ef20052e0a15adc8f60af2664b3c034d99dd97d46f276183ce80beefc29fd22d6c4de791a93f0b9

      Download Submit

    • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs
      Filesize

      620B

      MD5

      e3a6c856222acceb9bbb3f521b2d6f8a

      SHA1

      cafca047a208fe189513d7c206b453778d0564e1

      SHA256

      994947db4656545c01196676f84e8c1d866938e22986db53792a01c112955559

      SHA512

      bfed69e1c2bde450910651f699474ecaf022bef888db008a51f7ac60c0bba727faf3d5cb9261edc29a781d7791e2a8a5db317edeb4d8996909cf778bc2d429a3

      Download Submit

    • C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot
      Filesize

      34B

      MD5

      aa5511a167a67e429a9fdf3ac25bce0e

      SHA1

      8ac961be922cdc3314ed342e809d68637e9ea1f2

      SHA256

      bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

      SHA512

      736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      1KB

      MD5

      c371232f0e1349b9dc104cd426333916

      SHA1

      c05b6d7e0c632c358d121314e534355e903fef05

      SHA256

      b472e0e1b4483f4e6506644f72528460c3c9afa03c0aecae57dc5e7821a646dc

      SHA512

      ec7ed785f86c62718c2a134f9591c57ecf27512122c5e3da3178a7ed143b8ead565f50e907bf62f2b40fa52c665350e7635f223114dfac8faee347a65835db8d

      Download Submit

    • memory/2860-40-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download