Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 01:02

General

  • Target

    ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe

  • Size

    330KB

  • MD5

    2dd959c6e1effb6abe46f94d0702b2f5

  • SHA1

    77b2edad9d60e05a74840a598a7797e47c42a885

  • SHA256

    ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43

  • SHA512

    ac666070e68302e8092b1a180f69ae71c808a75b99813e7c2c55d26bc7fc007ef7724ce616a8652565bf78c71011bac6f04b2b628a1f7a6d559ff5b9314ae1a7

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVN:vHW138/iXWlK885rKlGSekcj66ciEN

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe
    "C:\Users\Admin\AppData\Local\Temp\ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\uhtoy.exe
      "C:\Users\Admin\AppData\Local\Temp\uhtoy.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Users\Admin\AppData\Local\Temp\lynud.exe
        "C:\Users\Admin\AppData\Local\Temp\lynud.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    23711745137f60f536ecd30106ce5d6f

    SHA1

    bedbfff2c9fbc138a78a3d1c0bde391a363d6c97

    SHA256

    f9416d13ebeddc0f2f679e8cfe904d11dc2b36f18caed57b4bb8aaca87af34ac

    SHA512

    97777e6997e64424650f83ad22a7c2bd553e9f6d021602853c182c81646d956c87c65fc20ec05e28669a55acce5a4736e523dbbc2c74852ad9d3c5b4494d6482

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    9e922a97590c667ace3f5b0e023d8221

    SHA1

    f52c1e81d6c7b2b64e3b02d3c0dfff2cb3caefb8

    SHA256

    055b90fa4ed66226af3a2d6813135ee1dfb47db31f6dce34696f3db4fb291a2a

    SHA512

    b8d2574a06929a0a21d9d0807ae1635047dfab59be4dc86bf0f83320ed17fef66587c622a948bdae4a709cc7fd253ed6818a13191d1c06c9f1f3c0de1aff44f9

  • C:\Users\Admin\AppData\Local\Temp\lynud.exe

    Filesize

    172KB

    MD5

    46d6966136775965eb30f4c144c2885f

    SHA1

    8ac28e5c6c1b089af681e28c881f1ad69e779417

    SHA256

    7ef63c5946354331b39cc7cb191024396cff12f44dafb5a7c48aafc655a01dc9

    SHA512

    d8cec70c770abd9e328cb7bb9a723eb1bab72aee7788d1e8ad71350ada195338c037d8f21f7ceb2b7f66584cbb8c7b4e49401f03501c97bf8458a8cdb17b0f36

  • C:\Users\Admin\AppData\Local\Temp\uhtoy.exe

    Filesize

    330KB

    MD5

    7a3f11834f77bd1b6b1ddd1521a72c01

    SHA1

    61d4a7cf0d5ff9e8de4750eed4377fe3c4daa55b

    SHA256

    5d3bf68b83c1713a8bee18b1f555ad951ac90af4c746e22b07a71950429ccd3a

    SHA512

    dcf9d089696dbcc7f1da9c136e73019ad7d1f2542dd191a9c7e2809092cfcf6fd332f378d1544f9252a354059017bbd5374306b4d61b495a222cd600b770564b

  • memory/1168-17-0x00000000005B0000-0x0000000000631000-memory.dmp

    Filesize

    516KB

  • memory/1168-0-0x00000000005B0000-0x0000000000631000-memory.dmp

    Filesize

    516KB

  • memory/1168-1-0x0000000001100000-0x0000000001101000-memory.dmp

    Filesize

    4KB

  • memory/1388-11-0x0000000000610000-0x0000000000691000-memory.dmp

    Filesize

    516KB

  • memory/1388-14-0x0000000000D70000-0x0000000000D71000-memory.dmp

    Filesize

    4KB

  • memory/1388-20-0x0000000000610000-0x0000000000691000-memory.dmp

    Filesize

    516KB

  • memory/1388-21-0x0000000000D70000-0x0000000000D71000-memory.dmp

    Filesize

    4KB

  • memory/1388-39-0x0000000000610000-0x0000000000691000-memory.dmp

    Filesize

    516KB

  • memory/2912-41-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

    Filesize

    8KB

  • memory/2912-38-0x0000000000550000-0x00000000005E9000-memory.dmp

    Filesize

    612KB

  • memory/2912-42-0x0000000000550000-0x00000000005E9000-memory.dmp

    Filesize

    612KB

  • memory/2912-47-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

    Filesize

    8KB

  • memory/2912-46-0x0000000000550000-0x00000000005E9000-memory.dmp

    Filesize

    612KB

  • memory/2912-48-0x0000000000550000-0x00000000005E9000-memory.dmp

    Filesize

    612KB

  • memory/2912-49-0x0000000000550000-0x00000000005E9000-memory.dmp

    Filesize

    612KB

  • memory/2912-50-0x0000000000550000-0x00000000005E9000-memory.dmp

    Filesize

    612KB

  • memory/2912-51-0x0000000000550000-0x00000000005E9000-memory.dmp

    Filesize

    612KB