Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 06:54

General

  • Target

    Backdoor.Win32.Plite.exe

  • Size

    61KB

  • MD5

    ac18dbe74249bdd64ff7ddb125320064

  • SHA1

    4f5d6ef53aa3a2e8231f117225aea666b0320783

  • SHA256

    62f71e49ed5f1a322324c58e9aa1e97e206ddba975aa55e08c6d26f1fa787b0f

  • SHA512

    93328d2a668fbe14e1ddcf00cfaef5dda61a88e0fabfac5e66c1129fe2e56f1b06dc4eaa0de904ef4a6fdd2d7007b3a07844ad70b1e035347c3fc21112c5257a

  • SSDEEP

    1536:1jeTAG/cbPGIZ+yy9YKU/p5mhnD4Nje4ur13t:1jYAaM7ZSY9esEVf

Score
10/10

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
    1⤵
    • Deletes itself
    PID:2616
  • C:\Users\Admin\AppData\Local\Temp\huter.exe
    "C:\Users\Admin\AppData\Local\Temp\huter.exe"
    1⤵
    • Executes dropped EXE
    PID:2752
  • C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    f45c82adf9ef8413d78bd3230b411302

    SHA1

    334971369d92e5aeb3d541b0d9fb1dfa1c8c8d44

    SHA256

    3ba2f989c72cfb256155b9f51fc6c3de41f5e1b8bb58b89076f9d8f927c95ca0

    SHA512

    602a7e0e01b8367b81ab70167c92d09db8df4466f8483580ca6b48926332ccbfb1379f7f308c534f3d1ff127fb2b4ec69f3927a7313c7952f230dfa57cbbc093

  • C:\Users\Admin\AppData\Local\Temp\huter.exe

    Filesize

    61KB

    MD5

    991be6f3c9067091982f93aca3ca2e88

    SHA1

    e939bbf0694eb7797bbe1f542a9203416c7b436c

    SHA256

    0c9dc69de14f7e3ee466b2b18bf194928369208e86ba0b36f2fe415945d38ad6

    SHA512

    97a8035edb7ba6c4109607000503cd4d4c1752755ddc551590e435c5573761a2e3976567cd3baf2ed3ebb20d48a994244f38a6121ae2b1e160d02e720b16e815

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

    Filesize

    250B

    MD5

    b6ac74a17ea9df40fa00e66362d0128c

    SHA1

    ebfabc9e75e4493a0c88b1b7b1e6d195eaebe592

    SHA256

    4445fd331d80b02affa2a95ecad6e275aa5c7c1e08ea8494a979f93d4fba0b78

    SHA512

    b997c51b7ce523625b6b454f96a88c4df08d5b5526a33ec8a0244d6a8be7d68dd01a6c72ae618a758a49dbd131ca2c5337fae576bee617450acafeab3844c4e1

  • memory/2752-16-0x0000000001300000-0x000000000132A000-memory.dmp

    Filesize

    168KB

  • memory/2752-21-0x0000000001300000-0x000000000132A000-memory.dmp

    Filesize

    168KB

  • memory/2752-23-0x0000000001300000-0x000000000132A000-memory.dmp

    Filesize

    168KB

  • memory/2752-29-0x0000000001300000-0x000000000132A000-memory.dmp

    Filesize

    168KB

  • memory/3068-18-0x0000000000A60000-0x0000000000A8A000-memory.dmp

    Filesize

    168KB

  • memory/3068-9-0x0000000000730000-0x000000000075A000-memory.dmp

    Filesize

    168KB

  • memory/3068-0-0x0000000000A60000-0x0000000000A8A000-memory.dmp

    Filesize

    168KB