Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/10/2024, 05:25
General
-
Target
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
-
Size
331KB
-
MD5
f0dd240cd2f939bac9a5cdeeaef5bd0f
-
SHA1
2e5da045a18a8fc6e5c511161b81e677f29b81c0
-
SHA256
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6
-
SHA512
967b5ef74ea32b59dedbb1dc522157b80933585304f2c1f99e0605800599ec500d6325d6d1643566d7488d925756d2ffc79e4c851da3fd2df33b7f00e08ed09c
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciY
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hosyd.exe"C:\Users\Admin\AppData\Local\Temp\hosyd.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bebip.exe"C:\Users\Admin\AppData\Local\Temp\bebip.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58cd3cff4178cc59d085a3ecf5839d45d
SHA1bd0d82aa555476a6a8a90c114672006cb938cf4a
SHA256ab7d42261a64ff50596b350a591c5365158319d569c6d29093ec63ff149c3010
SHA51226d222a62bf883fbab1bac9b4dab8c019d313b76a6601c9549a0d6f3cb8c41db46ba5eac7d57709290244672561f64c46ab479be170209e67a035c686f311efb
-
Filesize
172KB
MD5d79d1f6251e81eccb29abbcbd85aaf21
SHA1507941fbd66697440753d971dfbb6f3908d1fab4
SHA2564f48d36edc12c517553bfa31829c12dfe633ead0e806943bff279940e543a360
SHA5125addcce53bc85e41c74333ce9f33c06c34cdd97924ed671cd89a4a272da6e9f7e522f6bb3fedf51b1568da3c04650dd85ec9919c8f81889d7f35203a787a4b5d
-
Filesize
512B
MD5beee7355e7fc2c167d48826e5dabcf1e
SHA16b08dc37c5306e95d914f290a7eba56ba28877f4
SHA2561b2972696a1b6f99f6dc579c7a8c4b2e889e3c66dc7b75bc3ea4009f48c249ad
SHA5128495f039a6cf516c200ffe74cecfddcd950a812cd9208d88598e5590597732e97b5d3dfa2eff94e70ac561b16ac875b7fc5757b279e23ddb9f00fbfae64c68f9
-
Filesize
331KB
MD58aac9d79db8c1cbedef9b1252c92e95e
SHA16366c89fa306c80cd263f1bb7421567d34abe389
SHA25683bb127d199e004e780e2f99ed1f059a21b6a2f6a0c58480e661bbfdcc45c1e9
SHA5128d1281ff155bce81074dc4e8cd2cf61fc6dc92b0a8c28b448dff6ce4a06de921cdb15782b1959a1de1aca004afd171ac8adf5ca8a7b9f08bb9fd87eb5dc2f6ac
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB