Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a0a7adf664...5N.exe

windows7-x64

10

a0a7adf664...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2024, 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0a7adf664292ada80f2729dc4eface86383bef0519b696f6f1c1b972ab94b45N.exe

  • Size

    89KB

  • MD5

    89cabdf181ab420194557fafe276e480

  • SHA1

    4ac6d8510f389cc7c9bee9a588183b6180042610

  • SHA256

    a0a7adf664292ada80f2729dc4eface86383bef0519b696f6f1c1b972ab94b45

  • SHA512

    fabf69000eeb7f34cae941a7a3f467042d7c89cb6aa6b8a03c296d14518c1a7645d5e8f3165371264edc6fe0ab6eba94c9d0c6c6d82f7ce8d8ef37d6ebda768d

  • SSDEEP

    1536:Ywhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3Mz:YqV9MziU4piRun7C3CP3Mz

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0a7adf664292ada80f2729dc4eface86383bef0519b696f6f1c1b972ab94b45N.exe
    "C:\Users\Admin\AppData\Local\Temp\a0a7adf664292ada80f2729dc4eface86383bef0519b696f6f1c1b972ab94b45N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    02167b944a214fee3d34f9a7e356dc6a

    SHA1

    ca5b3f38a7151268726401593eb35f9b67bdde97

    SHA256

    77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

    SHA512

    c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\huter.exe
    Filesize

    89KB

    MD5

    10894407162aa456583f7dae5e7825ac

    SHA1

    8db75992554887299e97256ebcf7af42383ddfe9

    SHA256

    c6a9041829b48ba4f0e86210d456c5eb34385e91ed0da6e95ca1654e2fc86897

    SHA512

    89f74221fcb4cdbade6491f344db2645f23c16d03a37e3e7d9a0ab3525c52968a53572d3659c9abfc746e6130e5799988bf28af8acbcf38b5e4c4b556b346065

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
    Filesize

    340B

    MD5

    f830df17d408f8529bd306fecae33d8d

    SHA1

    f0896584e8d3f1d2cbea67e6a4e9246177a4d20d

    SHA256

    35a91b5ae477432f6165ad85cfaa9984ffa75da0e1da9ab70cfa73b6a8ff9017

    SHA512

    e623facbdbf14fdc57f17881dc85cd9f183e80627478f381034c149e6005fd1e7b4b6155cb401db85b2ffa89ca230a59c76762b5618581ce04d1aba13c4826db

    Download Submit

  • memory/2584-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2584-17-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3772-20-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3772-22-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3772-29-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download