Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 22:55

General

  • Target

    3b45f931cf10857580e832601b463bc3.exe

  • Size

    187KB

  • MD5

    3b45f931cf10857580e832601b463bc3

  • SHA1

    b1c1c1c9cd8a832204fbf09cd673af7a1fee04dc

  • SHA256

    ce089fe865d47c7a4b5dbb399229e35b30a939e52797d316fd0ec6f130cf46c8

  • SHA512

    5f2ad53658bb9d139e99e0b6b6d64565414a691b75fb180624f836a2d131767e9c91dd5086879f5dec851a5b909f5c227b04a6afe869a45f8312e318c934b245

  • SSDEEP

    3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad3:2mvqeP33AYFIN9treHy3

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe
    "C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:2952
      • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
        "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
        2⤵
        • Executes dropped EXE
        PID:3720

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe

      Filesize

      187KB

      MD5

      7b70255d26849b2fd34ccc5cfd83ced7

      SHA1

      cb765856f83cae17e4c57b1883f3f505439a6294

      SHA256

      cf3f71023774872ada78077bb6c08917a8a10da177474797dd16873cdbb7a148

      SHA512

      eac8e0720a9e15dfccf016a7664c88ffffe26ded0e7d9d9d53c6df4007545641100b18227ae26af55e8a656eea940a461947673f6d35ae8b00c95c50c6934c8c

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

      Filesize

      512B

      MD5

      1e75a7e32613b9d0b73f13b66c2c2f58

      SHA1

      035e2d6ab4ac34190f0e684681098188409e978c

      SHA256

      9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

      SHA512

      e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

    • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

      Filesize

      274B

      MD5

      cb0a8830fbf20a8d3908fbb84303c4ec

      SHA1

      a0f81f41530ee0c1aa27378475fa2e7a8569f015

      SHA256

      cec8c307ddf35cbe00de0d1c397d1db046fb119bcf55912895087db5e46b5e63

      SHA512

      842f9bf101c568a3731476474f4a7403ffcedf9f68385e57110ff656bf84f6d037eecf8d703acc70389d0cc9a14fb3fcfc0a7548d2c61affa52c4c572e163bf3

    • memory/3720-14-0x0000000000670000-0x00000000006A2000-memory.dmp

      Filesize

      200KB

    • memory/3720-20-0x0000000000670000-0x00000000006A2000-memory.dmp

      Filesize

      200KB

    • memory/3720-21-0x0000000000670000-0x00000000006A2000-memory.dmp

      Filesize

      200KB

    • memory/4972-0-0x0000000000420000-0x0000000000452000-memory.dmp

      Filesize

      200KB

    • memory/4972-17-0x0000000000420000-0x0000000000452000-memory.dmp

      Filesize

      200KB