Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 04:30

General

  • Target

    e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe

  • Size

    331KB

  • MD5

    43ccc6958f91e07a407881b33286ef05

  • SHA1

    7b2ce6400110ceb59534d4b181743db40817293d

  • SHA256

    e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3

  • SHA512

    42eff49833ea7f7af48eae35844ccc5c1b78eeda22362e38f37faff61540eb84de4ad32b7f7ee1f185ece81c157dbf883fa293678848dac0cf3c86811160fdfa

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ci9

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
    "C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\wuofc.exe
      "C:\Users\Admin\AppData\Local\Temp\wuofc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Users\Admin\AppData\Local\Temp\zyten.exe
        "C:\Users\Admin\AppData\Local\Temp\zyten.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    c3482ced7f644d94381c9b12ae15ecc2

    SHA1

    aee03a143b0d88848e660c6a06347c4d327b1a09

    SHA256

    ce3b22efc8692e1f90e4de419cc21f6b3306935da4224298008f4ab995b810fd

    SHA512

    560d86a27e2a4c897fc432f85e8f418d7002372d202bfd76e1ad16e6c671bbec0f66a60059dc1f5d518a183b77cca1f293ce0d735200c77f8d9a02f941cc1041

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    daff6e80df7dd04ab02d62256b91e956

    SHA1

    76e80153e92dcf8acdea918bc225baec4d55a16f

    SHA256

    104d75d278cd0495e37a47447a082d7d138c6fe57014d17fd0b97896d3920976

    SHA512

    52c889934edaab82b3fceaa24c4c20ac75d305b09eee34e1420d70a3601fa5e31a7b58d6d11c107e13455538a50f42cbf87a3804a6822235d9b3848522c24b58

  • C:\Users\Admin\AppData\Local\Temp\wuofc.exe

    Filesize

    331KB

    MD5

    3c0cb484d9055d6c594af2d779f225b6

    SHA1

    5a59400eb4beeb225b359e1e4f37d863250484dc

    SHA256

    ccd66b9c21acaff5723f8bc7878b1a4fb929d76ba38a1734bcad6215a79b535f

    SHA512

    11534d9bd032aa08dfdc4bb87fa84bd25d83b33df08591e5f17d9c0dbcfe591f229a47b6d47fba320a31ff249e5f4aa1f45206f1e3c78d2d1aece3ef793428a0

  • C:\Users\Admin\AppData\Local\Temp\zyten.exe

    Filesize

    172KB

    MD5

    e9c38eaef57b60ce3308085ed428fd7d

    SHA1

    c55985dfc9079751311d70083921e65af172543f

    SHA256

    86c5dca0991a5fc20d3e912833c3a3ea937938022d56e12f3777c3be049330ee

    SHA512

    0f5c3521e1eefbe07b7aeacf4d49b537959c77539ae3a22cbf97333bea6518be4e88cc9a69b70a80bee8b4c1914d92cdad7883fda77cb707e0979a7f4c8c73f0

  • memory/1632-46-0x0000000000760000-0x00000000007F9000-memory.dmp

    Filesize

    612KB

  • memory/1632-42-0x0000000000760000-0x00000000007F9000-memory.dmp

    Filesize

    612KB

  • memory/1632-50-0x0000000000760000-0x00000000007F9000-memory.dmp

    Filesize

    612KB

  • memory/1632-49-0x0000000000760000-0x00000000007F9000-memory.dmp

    Filesize

    612KB

  • memory/1632-48-0x0000000000760000-0x00000000007F9000-memory.dmp

    Filesize

    612KB

  • memory/1632-47-0x0000000000760000-0x00000000007F9000-memory.dmp

    Filesize

    612KB

  • memory/1632-44-0x0000000000750000-0x0000000000752000-memory.dmp

    Filesize

    8KB

  • memory/1632-37-0x0000000000760000-0x00000000007F9000-memory.dmp

    Filesize

    612KB

  • memory/3092-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

  • memory/3092-17-0x0000000000F80000-0x0000000001001000-memory.dmp

    Filesize

    516KB

  • memory/3092-0-0x0000000000F80000-0x0000000001001000-memory.dmp

    Filesize

    516KB

  • memory/4424-40-0x00000000001E0000-0x0000000000261000-memory.dmp

    Filesize

    516KB

  • memory/4424-21-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

  • memory/4424-20-0x00000000001E0000-0x0000000000261000-memory.dmp

    Filesize

    516KB

  • memory/4424-11-0x00000000001E0000-0x0000000000261000-memory.dmp

    Filesize

    516KB

  • memory/4424-14-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB