Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 16:23

General

  • Target

    5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe

  • Size

    329KB

  • MD5

    373823c3f20c185c50bc7abd35345bd0

  • SHA1

    b9bf4195521f9cd012af3773bf5cdb9ac98fac75

  • SHA256

    5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7

  • SHA512

    746b6e9266a4f7b8c2ff08ccb71a9a3ec65de365a91c07d49b6f14db1ac40acd8886624d42239bb21b077939d51442c4c7a374a64cced51db6c9cb268c7480c8

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVP:vHW138/iXWlK885rKlGSekcj66ciEP

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
    "C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Local\Temp\coryz.exe
      "C:\Users\Admin\AppData\Local\Temp\coryz.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Users\Admin\AppData\Local\Temp\qazym.exe
        "C:\Users\Admin\AppData\Local\Temp\qazym.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3700
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    16345585560837b3f96911125dc68a5a

    SHA1

    c4168f87ff5f1acd63b1feace8736cd358a838c0

    SHA256

    8b2a808965b4f50f7a138e9cf41c4ae5fbeb7d2a704c312bc2fec6ffa8fafbe7

    SHA512

    67fb0fd89fd02afd31137ebe98642b3bd5d04ede03427b3f374f2b7bd63c580c4b2dc78eebaccbd3ff3eac934be9d19b5cb00b4cd526a82ee97b884215c12118

  • C:\Users\Admin\AppData\Local\Temp\coryz.exe

    Filesize

    329KB

    MD5

    283c5de8d95f6654b1aad099d093c0e5

    SHA1

    03d7d6cb74c1a0ee6d6ee2c8fb60331a2cfd891a

    SHA256

    a0ad794f0121b7b13beead23d1028c9a3a4810fc781508555563c2703493f1b3

    SHA512

    63763470274e57f616c1c073509470f3498970d65c2de15d72918aa3143d60aac33f8758c95a549367915b96706984e40c77d6f76ebc6a966bc5eb7e3750075e

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    476d30f250c04b55039901961b5cd1f8

    SHA1

    51a92009991f801f9f040d13508eb2080c9a96ab

    SHA256

    d289b9f1199a9bacf3e31d0192eaf6e69b9a7d0b0810173e73ef1e3033bf005f

    SHA512

    4cfe8bd98f7fc1ce8bef199a390f880f2b53f7ef6acbbe14499ead6ac33ee592e36a00872797c888865c27b30e445ccbce969c8110a8110637a2143ef60763fb

  • C:\Users\Admin\AppData\Local\Temp\qazym.exe

    Filesize

    172KB

    MD5

    0addb9474b95a09f9ac2c868ac87ad97

    SHA1

    2d78403a2f96d8a6c6940d66422551dad8064746

    SHA256

    0e6c8ce4b7d1dab923c7b157b85f57ffb4b5c026d4808dff1c648defdfef0bf5

    SHA512

    5b949b175dc88bd5e80332b5a68080554dc84dc381e85fe802e9bf1c8659c80e3851e7f9cdc854f3cec672d4058394c44df48d0313b991a4bf7b695c30e023d8

  • memory/3700-48-0x0000000000080000-0x0000000000119000-memory.dmp

    Filesize

    612KB

  • memory/3700-46-0x0000000000080000-0x0000000000119000-memory.dmp

    Filesize

    612KB

  • memory/3700-47-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

    Filesize

    8KB

  • memory/3700-40-0x0000000000080000-0x0000000000119000-memory.dmp

    Filesize

    612KB

  • memory/3700-39-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

    Filesize

    8KB

  • memory/3700-38-0x0000000000080000-0x0000000000119000-memory.dmp

    Filesize

    612KB

  • memory/3828-17-0x0000000000480000-0x0000000000501000-memory.dmp

    Filesize

    516KB

  • memory/3828-0-0x0000000000480000-0x0000000000501000-memory.dmp

    Filesize

    516KB

  • memory/3828-1-0x0000000000950000-0x0000000000951000-memory.dmp

    Filesize

    4KB

  • memory/3924-21-0x0000000001250000-0x0000000001251000-memory.dmp

    Filesize

    4KB

  • memory/3924-20-0x00000000009B0000-0x0000000000A31000-memory.dmp

    Filesize

    516KB

  • memory/3924-14-0x0000000001250000-0x0000000001251000-memory.dmp

    Filesize

    4KB

  • memory/3924-44-0x00000000009B0000-0x0000000000A31000-memory.dmp

    Filesize

    516KB

  • memory/3924-11-0x00000000009B0000-0x0000000000A31000-memory.dmp

    Filesize

    516KB