Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

GOLAYA-SEXY.exe

windows7-x64

8

GOLAYA-SEXY.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOLAYA-SEXY.exe

  • Size

    238KB

  • MD5

    2ca498cc00b0c5baec004b731621c97d

  • SHA1

    41d2d779185cd6274ad1fffecabbbec1d781fd42

  • SHA256

    400b70f625095ce4995eb1e8188e319572abd8a67dacc3b1567641c039dbebf0

  • SHA512

    173830127c25ee0bb1296943930eac3a49da174ad18725f293d46922bac224e0200cfa17a6c5226379bac89d1e5980c7549687b023c4bf92c9f45ec6d5e6538c

  • SSDEEP

    3072:VBAp5XhKpN4eOyVTGfhEClj8jTk+0hNq1dgshuk+Cgw5CKHm:wbXE9OiTGfhEClq9UqTaJJUm

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
    "C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\net takoi papki\slonopotam\slonopotamus.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.vbs"
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        PID:4840
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\net takoi papki\slonopotam\hreansdva.vbs"
      2⤵
      • Drops file in Drivers directory
      • System Location Discovery: System Language Discovery
      PID:4272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\net takoi papki\slonopotam\1.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\net takoi papki\slonopotam\hreansdva.vbs
    Filesize

    679B

    MD5

    1e13b9527a12dffe2998bf760c127814

    SHA1

    aec14d10a204872cc940550fa7876b2081373f01

    SHA256

    355dafd0f4053c07306b5505a4a5333ad4f2afb79a1d5fd35798282bdac79c38

    SHA512

    16e2d3e546030a7d452455f170ba731484006e6b645cc201b854ec11d115ce6182602e5a18a74859f5fdff7dda4939e30dbb5abe6313388e556784879a2e425d

    Download Submit

  • C:\Program Files (x86)\net takoi papki\slonopotam\industrialgasturbines.and
    Filesize

    53B

    MD5

    458f8278e6db63a24dd7874915404c05

    SHA1

    2a8b5a312231a4fcd88db0b23c91bb504d35b9b0

    SHA256

    c802072462fcfd13b9410d839530c95e3ec526cac9fe273a35a78312d436817d

    SHA512

    0b05dca8f971df3e5bce2a461455117b6052cfeca3d646bee6c66d3c6c69be31b9d98228cf1c6cb972856c90889aab6f883d25c6e5a6292f17fc12505af9cc50

    Download Submit

  • C:\Program Files (x86)\net takoi papki\slonopotam\jolemansday.day
    Filesize

    189B

    MD5

    4916a96fa815d608e91d931df33122f9

    SHA1

    93a9849116673ad184ca7a5f32d0bea2d30762a4

    SHA256

    19ba1285b426e131f629eb1afddbe1350c71dc6188cd14779bb65123cb7a728f

    SHA512

    78a73b8879cd3179dbdf7a4a2805659b20efacf1a090c64c875e8915a297c17cde9165f9da0a4ad70abc11745c61d824e047e0e3ba8e2e587ca1b1011b2f9ca7

    Download Submit

  • C:\Program Files (x86)\net takoi papki\slonopotam\slonopotamus.bat
    Filesize

    1KB

    MD5

    0715369b6dd1face650d3625223bf4db

    SHA1

    788a33cc2fac1697fd265c57448e5618d1c438d0

    SHA256

    492f2286987ba02fd03a735d89126254b540f140e2ee07f7d1c3481a1d422f30

    SHA512

    200fdc5e01cb26602e134bf3b0474dca2c0e1a85c2505240a76094782b893355a18249549165a06228d6663146a4b992b249e321e31d1364bf381c075d896d99

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    435d5b9ac8adeb9d27fad84bf5303c6b

    SHA1

    bde744ec28854dae3189115a948db25c2e21a886

    SHA256

    8c2c870afff5c4585252a9bc7675674b5756f316bb2bd0d63c09ee07972ea411

    SHA512

    4460ee340753053374c72342d5f0878fc30a1f10d4cbde5b55440932479ab35d42487af08a27703dcf06dedf875b25ec9a888974f8adeee3243afd2f9425cb8e

    Download Submit

  • memory/4260-49-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download