Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2024, 05:25

General

  • Target

    ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe

  • Size

    331KB

  • MD5

    f0dd240cd2f939bac9a5cdeeaef5bd0f

  • SHA1

    2e5da045a18a8fc6e5c511161b81e677f29b81c0

  • SHA256

    ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6

  • SHA512

    967b5ef74ea32b59dedbb1dc522157b80933585304f2c1f99e0605800599ec500d6325d6d1643566d7488d925756d2ffc79e4c851da3fd2df33b7f00e08ed09c

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciY

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
    "C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Users\Admin\AppData\Local\Temp\hosyd.exe
      "C:\Users\Admin\AppData\Local\Temp\hosyd.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Users\Admin\AppData\Local\Temp\bebip.exe
        "C:\Users\Admin\AppData\Local\Temp\bebip.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    8cd3cff4178cc59d085a3ecf5839d45d

    SHA1

    bd0d82aa555476a6a8a90c114672006cb938cf4a

    SHA256

    ab7d42261a64ff50596b350a591c5365158319d569c6d29093ec63ff149c3010

    SHA512

    26d222a62bf883fbab1bac9b4dab8c019d313b76a6601c9549a0d6f3cb8c41db46ba5eac7d57709290244672561f64c46ab479be170209e67a035c686f311efb

  • C:\Users\Admin\AppData\Local\Temp\bebip.exe

    Filesize

    172KB

    MD5

    d79d1f6251e81eccb29abbcbd85aaf21

    SHA1

    507941fbd66697440753d971dfbb6f3908d1fab4

    SHA256

    4f48d36edc12c517553bfa31829c12dfe633ead0e806943bff279940e543a360

    SHA512

    5addcce53bc85e41c74333ce9f33c06c34cdd97924ed671cd89a4a272da6e9f7e522f6bb3fedf51b1568da3c04650dd85ec9919c8f81889d7f35203a787a4b5d

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    beee7355e7fc2c167d48826e5dabcf1e

    SHA1

    6b08dc37c5306e95d914f290a7eba56ba28877f4

    SHA256

    1b2972696a1b6f99f6dc579c7a8c4b2e889e3c66dc7b75bc3ea4009f48c249ad

    SHA512

    8495f039a6cf516c200ffe74cecfddcd950a812cd9208d88598e5590597732e97b5d3dfa2eff94e70ac561b16ac875b7fc5757b279e23ddb9f00fbfae64c68f9

  • C:\Users\Admin\AppData\Local\Temp\hosyd.exe

    Filesize

    331KB

    MD5

    8aac9d79db8c1cbedef9b1252c92e95e

    SHA1

    6366c89fa306c80cd263f1bb7421567d34abe389

    SHA256

    83bb127d199e004e780e2f99ed1f059a21b6a2f6a0c58480e661bbfdcc45c1e9

    SHA512

    8d1281ff155bce81074dc4e8cd2cf61fc6dc92b0a8c28b448dff6ce4a06de921cdb15782b1959a1de1aca004afd171ac8adf5ca8a7b9f08bb9fd87eb5dc2f6ac

  • memory/936-17-0x0000000000560000-0x00000000005E1000-memory.dmp

    Filesize

    516KB

  • memory/936-0-0x0000000000560000-0x00000000005E1000-memory.dmp

    Filesize

    516KB

  • memory/936-1-0x0000000000B90000-0x0000000000B91000-memory.dmp

    Filesize

    4KB

  • memory/1160-14-0x00000000007F0000-0x00000000007F1000-memory.dmp

    Filesize

    4KB

  • memory/1160-11-0x0000000000750000-0x00000000007D1000-memory.dmp

    Filesize

    516KB

  • memory/1160-21-0x00000000007F0000-0x00000000007F1000-memory.dmp

    Filesize

    4KB

  • memory/1160-20-0x0000000000750000-0x00000000007D1000-memory.dmp

    Filesize

    516KB

  • memory/1160-44-0x0000000000750000-0x00000000007D1000-memory.dmp

    Filesize

    516KB

  • memory/2948-39-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

    Filesize

    8KB

  • memory/2948-40-0x0000000000620000-0x00000000006B9000-memory.dmp

    Filesize

    612KB

  • memory/2948-38-0x0000000000620000-0x00000000006B9000-memory.dmp

    Filesize

    612KB

  • memory/2948-46-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

    Filesize

    8KB

  • memory/2948-47-0x0000000000620000-0x00000000006B9000-memory.dmp

    Filesize

    612KB

  • memory/2948-48-0x0000000000620000-0x00000000006B9000-memory.dmp

    Filesize

    612KB

  • memory/2948-49-0x0000000000620000-0x00000000006B9000-memory.dmp

    Filesize

    612KB

  • memory/2948-50-0x0000000000620000-0x00000000006B9000-memory.dmp

    Filesize

    612KB

  • memory/2948-51-0x0000000000620000-0x00000000006B9000-memory.dmp

    Filesize

    612KB