Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
Resource
win7-20240903-en
General
-
Target
6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
-
Size
330KB
-
MD5
a7fca01381772be5f88e3f4c59bb488a
-
SHA1
934e2a8dd0bf5fa61aa8809d73d7b46628812eea
-
SHA256
6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1
-
SHA512
d8def90bc95351068860d6cff6f0ce7a2857be86202980f0714d46d4cdf15901828ce49ea365e9990a609e12a82d5afa7ae2fd4cec7f74b39c51e384661dc282
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVq:vHW138/iXWlK885rKlGSekcj66ciEq
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation xuloa.exe -
Executes dropped EXE 2 IoCs
pid Process 4012 xuloa.exe 1884 puxeh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xuloa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language puxeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe 1884 puxeh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4464 wrote to memory of 4012 4464 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 87 PID 4464 wrote to memory of 4012 4464 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 87 PID 4464 wrote to memory of 4012 4464 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 87 PID 4464 wrote to memory of 1744 4464 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 88 PID 4464 wrote to memory of 1744 4464 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 88 PID 4464 wrote to memory of 1744 4464 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe 88 PID 4012 wrote to memory of 1884 4012 xuloa.exe 101 PID 4012 wrote to memory of 1884 4012 xuloa.exe 101 PID 4012 wrote to memory of 1884 4012 xuloa.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe"C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\xuloa.exe"C:\Users\Admin\AppData\Local\Temp\xuloa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\puxeh.exe"C:\Users\Admin\AppData\Local\Temp\puxeh.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5163be0232365d7ce68accdc4efeda98e
SHA1065d2753d718c85c30f13d29311e5f9f7d469e08
SHA2565a99ed92dbb374a881252e400b55fc2e24a911772061d55953b45e07ce77e26b
SHA5123f2d8da1b5c58a7e5832d1c1f2a25886365f83966aeb3e6230cabf42032e9067df5f6f4c08c4b7dd44406fc147cc5e9cd40906b546220568b579d1ef4d16ca18
-
Filesize
512B
MD5c770108b028f35806a4c76451ae6c4ea
SHA1df2f328f9c980170ec7ded55a94a78e7837328b9
SHA2565ffb6e6a56478418156fbeb40d003baf80ced0704462b7fc927da08a95006bd3
SHA512c1c2de37b1baf08db502a92a9394dd7c20d6b5145a835c5fe0b7dd2ad182fa48f82af979f97026d85d30b88bca6719e41d9497ace99aaf6608f1a6ad3e130c66
-
Filesize
172KB
MD59c4dde3e0572ceada02fa9982c0b32a5
SHA13d055892968b201294bb1895d1d0b87cf92da007
SHA256e13d5c74191cae85de35cb63e1740f4715fe1351179f64663140e49d7f9ddc0a
SHA512016239ffd1e084f53b82a393add4dc5f8514a38559b8cf6c6f99577455d04372ade4773168e0ad952435118609ac2d04653cbe064b8a51689101055f613016d4
-
Filesize
330KB
MD59bb7aa2ee0cfdb044dee44940002e55a
SHA1d6f2451513b86009243bf592c280a42b75b8497e
SHA2562da1a1e1def654a61146f5fdf1eaabe59096a931877db3dcbdcc3d0208c52831
SHA51214094cfef162ef884665c46e5f0565ac231e168888cdde0d65a4896a65501d8ace1c37eba5e1bfb332ce35fc16fadfd36e3b196e5a5f7844ae3efb63d1818830