Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30/09/2024, 16:23
General
-
Target
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
-
Size
329KB
-
MD5
373823c3f20c185c50bc7abd35345bd0
-
SHA1
b9bf4195521f9cd012af3773bf5cdb9ac98fac75
-
SHA256
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7
-
SHA512
746b6e9266a4f7b8c2ff08ccb71a9a3ec65de365a91c07d49b6f14db1ac40acd8886624d42239bb21b077939d51442c4c7a374a64cced51db6c9cb268c7480c8
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVP:vHW138/iXWlK885rKlGSekcj66ciEP
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\coryz.exe"C:\Users\Admin\AppData\Local\Temp\coryz.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qazym.exe"C:\Users\Admin\AppData\Local\Temp\qazym.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD516345585560837b3f96911125dc68a5a
SHA1c4168f87ff5f1acd63b1feace8736cd358a838c0
SHA2568b2a808965b4f50f7a138e9cf41c4ae5fbeb7d2a704c312bc2fec6ffa8fafbe7
SHA51267fb0fd89fd02afd31137ebe98642b3bd5d04ede03427b3f374f2b7bd63c580c4b2dc78eebaccbd3ff3eac934be9d19b5cb00b4cd526a82ee97b884215c12118
-
Filesize
329KB
MD5283c5de8d95f6654b1aad099d093c0e5
SHA103d7d6cb74c1a0ee6d6ee2c8fb60331a2cfd891a
SHA256a0ad794f0121b7b13beead23d1028c9a3a4810fc781508555563c2703493f1b3
SHA51263763470274e57f616c1c073509470f3498970d65c2de15d72918aa3143d60aac33f8758c95a549367915b96706984e40c77d6f76ebc6a966bc5eb7e3750075e
-
Filesize
512B
MD5476d30f250c04b55039901961b5cd1f8
SHA151a92009991f801f9f040d13508eb2080c9a96ab
SHA256d289b9f1199a9bacf3e31d0192eaf6e69b9a7d0b0810173e73ef1e3033bf005f
SHA5124cfe8bd98f7fc1ce8bef199a390f880f2b53f7ef6acbbe14499ead6ac33ee592e36a00872797c888865c27b30e445ccbce969c8110a8110637a2143ef60763fb
-
Filesize
172KB
MD50addb9474b95a09f9ac2c868ac87ad97
SHA12d78403a2f96d8a6c6940d66422551dad8064746
SHA2560e6c8ce4b7d1dab923c7b157b85f57ffb4b5c026d4808dff1c648defdfef0bf5
SHA5125b949b175dc88bd5e80332b5a68080554dc84dc381e85fe802e9bf1c8659c80e3851e7f9cdc854f3cec672d4058394c44df48d0313b991a4bf7b695c30e023d8
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB