Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

66b4a9b9e1...cd.exe

windows7-x64

10

66b4a9b9e1...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66b4a9b9e1048b88dfd85a22f5985ccd.exe

  • Size

    49KB

  • MD5

    66b4a9b9e1048b88dfd85a22f5985ccd

  • SHA1

    66713e0d5bacde0f1f7b1a11ada1878c3b45bc83

  • SHA256

    d7ae91be36c221dcf4e8ba8d02919db653c632de1c084987e152d8e52f24e387

  • SHA512

    9a06deb2973792898b67c3521d15432730e4845682fcc816f388b7b08e6b109bad523ca99ad9e245caae47c67d8ebfb2fda048c1fcf78840308bb311e79e9e39

  • SSDEEP

    1536:834/PC7Ruz3hRXRASULZ6JKYdbzcmhCZny:It7R8fU6n8y

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66b4a9b9e1048b88dfd85a22f5985ccd.exe
    "C:\Users\Admin\AppData\Local\Temp\66b4a9b9e1048b88dfd85a22f5985ccd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
        "C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
        2⤵
        • Executes dropped EXE
        PID:4168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      39e55c2b5135dd669ad371cc03d79fc2

      SHA1

      d027fea84a269f8e556dfb5411ac3d01b9311017

      SHA256

      ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

      SHA512

      e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
      Filesize

      49KB

      MD5

      9845e754717fd4b845f15c328db4e2bc

      SHA1

      94efe9ead68b5c9bf113726afb2f73b9e14eb1da

      SHA256

      e6a4292ee9685d6fc9b301b3483716cf2d67f7c2d950cb7db41db82144de951f

      SHA512

      9ac479be0f59b7e898d9959c04da72e758351203b6c4bf3635ad9d664bae30bcbafd12581b282d59012076773621ae07c4ceb0d7b1184b0fc4a7c588f85d677f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
      Filesize

      274B

      MD5

      d30b04871154e17588f0a25f66059ba9

      SHA1

      2f84340526ff4cfaa9253feeeb6677049390bb9f

      SHA256

      7792b1864f78b8d73374472e7603c9c5c632f7edb3e1f20b140e7887308b35b3

      SHA512

      9bc39f3551c4f9af380e6f2144e06d1ff62519f9a6682993ffa9d5e73a60657dfae15c2cad32a60300011671ffaf11682d0ee0d01201ecb3cc86c1c727fb3e95

      Download Submit

    • memory/4168-12-0x0000000000230000-0x0000000000263000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4168-17-0x0000000000230000-0x0000000000263000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4168-19-0x0000000000230000-0x0000000000263000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4168-25-0x0000000000230000-0x0000000000263000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4400-0-0x0000000000470000-0x00000000004A3000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4400-14-0x0000000000470000-0x00000000004A3000-memory.dmp

      Filesize

      204KB

      Download