Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 20:20

General

  • Target

    c14fb102c05d77ab7443cc15d489ea70.exe

  • Size

    328KB

  • MD5

    c14fb102c05d77ab7443cc15d489ea70

  • SHA1

    cd2176a25e62066e076fe99efb30058a139c888d

  • SHA256

    c7661d91bada02fb540c88e94bf5ee6594f5157a7b3343c19619a6b1ec5480b7

  • SHA512

    8e03afacbecc4aa4f5ffe00af996479405ccb02021530bda074964b4226001a7016c98fb84a7594e497abf765b7a11aa85ac66b9a19e6d261bfb29e2a0d51bf3

  • SSDEEP

    6144:wObaeY8zPekKKH/hT8PVdkLHtA3nPER5oSHzZ4NyQ:wOb/KKH/hT8PVdkJA3uoSiT

Score
10/10

Malware Config

Extracted

Family

urelas

C2

121.88.5.184

121.88.5.183

218.54.30.235

218.54.28.139

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14fb102c05d77ab7443cc15d489ea70.exe
    "C:\Users\Admin\AppData\Local\Temp\c14fb102c05d77ab7443cc15d489ea70.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\opert.exe
      "C:\Users\Admin\AppData\Local\Temp\opert.exe"
      2⤵
      • Executes dropped EXE
      PID:4644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:1068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

      Filesize

      512B

      MD5

      eedb29ddd99eaacb97303426301d4575

      SHA1

      598485f712057df31e2318e85d17949510adea21

      SHA256

      79a0976bed8113f97584faf4ea7e820ecc6eb864a78b17fcdc9dcf8db252d84e

      SHA512

      cfcaeb5b791127f2b06cafc8590e4cc6ca2ea8a66f04abb7c6cad9bbe4ab84c819e1126b7919da68d3bdd25300866d695d40d61ab0b1cba8764c4c1dafe520db

    • C:\Users\Admin\AppData\Local\Temp\opert.exe

      Filesize

      328KB

      MD5

      817bcb48a8363bdbca4f50a2e067249b

      SHA1

      31a81387be4641a391c58f58722f6a2fe58dec08

      SHA256

      cd22962e1d5ef1e823bba9bf326072b0ee2b6abd0e8afb7ce10590d619c623a2

      SHA512

      b0e75c006ddef0451e90e2b554fcb885c6f8e6f3b57a9e07a89f371fe0f1fdc4d095edb0c0b4bd4d4d8acf050ec726588059b308f0b94c6d9d900edb4ec6d0e3

    • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

      Filesize

      274B

      MD5

      7d9dd9c904b68c7e726d39b0d390e0c0

      SHA1

      5caa23245478df846b7b460dbef3cee92431e6b7

      SHA256

      a97ceca17fb783be3f4a06a8965cc15622e5ce5d8410e68ba554456ca68aff01

      SHA512

      efddffbf9031e1be8db233b418ddc1c21be82e8913815f205c65b76de5a9cc3bc6110af860b2c5c690f7d3a9b00c936f3172704215c7f898775be836d10dcd6a

    • memory/2444-0-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2444-14-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/4644-10-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/4644-17-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/4644-18-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB