Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 23:16

General

  • Target

    6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe

  • Size

    330KB

  • MD5

    a7fca01381772be5f88e3f4c59bb488a

  • SHA1

    934e2a8dd0bf5fa61aa8809d73d7b46628812eea

  • SHA256

    6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1

  • SHA512

    d8def90bc95351068860d6cff6f0ce7a2857be86202980f0714d46d4cdf15901828ce49ea365e9990a609e12a82d5afa7ae2fd4cec7f74b39c51e384661dc282

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVq:vHW138/iXWlK885rKlGSekcj66ciEq

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
    "C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Users\Admin\AppData\Local\Temp\xuloa.exe
      "C:\Users\Admin\AppData\Local\Temp\xuloa.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\AppData\Local\Temp\puxeh.exe
        "C:\Users\Admin\AppData\Local\Temp\puxeh.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    163be0232365d7ce68accdc4efeda98e

    SHA1

    065d2753d718c85c30f13d29311e5f9f7d469e08

    SHA256

    5a99ed92dbb374a881252e400b55fc2e24a911772061d55953b45e07ce77e26b

    SHA512

    3f2d8da1b5c58a7e5832d1c1f2a25886365f83966aeb3e6230cabf42032e9067df5f6f4c08c4b7dd44406fc147cc5e9cd40906b546220568b579d1ef4d16ca18

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    c770108b028f35806a4c76451ae6c4ea

    SHA1

    df2f328f9c980170ec7ded55a94a78e7837328b9

    SHA256

    5ffb6e6a56478418156fbeb40d003baf80ced0704462b7fc927da08a95006bd3

    SHA512

    c1c2de37b1baf08db502a92a9394dd7c20d6b5145a835c5fe0b7dd2ad182fa48f82af979f97026d85d30b88bca6719e41d9497ace99aaf6608f1a6ad3e130c66

  • C:\Users\Admin\AppData\Local\Temp\puxeh.exe

    Filesize

    172KB

    MD5

    9c4dde3e0572ceada02fa9982c0b32a5

    SHA1

    3d055892968b201294bb1895d1d0b87cf92da007

    SHA256

    e13d5c74191cae85de35cb63e1740f4715fe1351179f64663140e49d7f9ddc0a

    SHA512

    016239ffd1e084f53b82a393add4dc5f8514a38559b8cf6c6f99577455d04372ade4773168e0ad952435118609ac2d04653cbe064b8a51689101055f613016d4

  • C:\Users\Admin\AppData\Local\Temp\xuloa.exe

    Filesize

    330KB

    MD5

    9bb7aa2ee0cfdb044dee44940002e55a

    SHA1

    d6f2451513b86009243bf592c280a42b75b8497e

    SHA256

    2da1a1e1def654a61146f5fdf1eaabe59096a931877db3dcbdcc3d0208c52831

    SHA512

    14094cfef162ef884665c46e5f0565ac231e168888cdde0d65a4896a65501d8ace1c37eba5e1bfb332ce35fc16fadfd36e3b196e5a5f7844ae3efb63d1818830

  • memory/1884-45-0x00000000009C0000-0x0000000000A59000-memory.dmp

    Filesize

    612KB

  • memory/1884-46-0x0000000000E20000-0x0000000000E22000-memory.dmp

    Filesize

    8KB

  • memory/1884-50-0x00000000009C0000-0x0000000000A59000-memory.dmp

    Filesize

    612KB

  • memory/1884-49-0x00000000009C0000-0x0000000000A59000-memory.dmp

    Filesize

    612KB

  • memory/1884-48-0x00000000009C0000-0x0000000000A59000-memory.dmp

    Filesize

    612KB

  • memory/1884-47-0x00000000009C0000-0x0000000000A59000-memory.dmp

    Filesize

    612KB

  • memory/1884-41-0x00000000009C0000-0x0000000000A59000-memory.dmp

    Filesize

    612KB

  • memory/1884-40-0x0000000000E20000-0x0000000000E22000-memory.dmp

    Filesize

    8KB

  • memory/1884-37-0x00000000009C0000-0x0000000000A59000-memory.dmp

    Filesize

    612KB

  • memory/4012-39-0x00000000001F0000-0x0000000000271000-memory.dmp

    Filesize

    516KB

  • memory/4012-20-0x00000000001F0000-0x0000000000271000-memory.dmp

    Filesize

    516KB

  • memory/4012-15-0x0000000001040000-0x0000000001041000-memory.dmp

    Filesize

    4KB

  • memory/4012-14-0x00000000001F0000-0x0000000000271000-memory.dmp

    Filesize

    516KB

  • memory/4464-17-0x0000000000DA0000-0x0000000000E21000-memory.dmp

    Filesize

    516KB

  • memory/4464-0-0x0000000000DA0000-0x0000000000E21000-memory.dmp

    Filesize

    516KB

  • memory/4464-1-0x0000000000E40000-0x0000000000E41000-memory.dmp

    Filesize

    4KB