Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/10/2024, 07:38
Static task
static1
Behavioral task
behavioral1
Sample
a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
Resource
win7-20240903-en
General
-
Target
a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
-
Size
331KB
-
MD5
0b13ddcce57bf9df654cb55a64316040
-
SHA1
84e0c65017a393700e2fb8a987b556ea2bcccaaa
-
SHA256
a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8
-
SHA512
7f72e5cf8ec2c0ef3babbf4b666c426843f76196d98efe6b09412e7378c089c8fd5fbaa71573004bad018a255d62918fd38f184ac77f5198a8a3e43a2f8782e9
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66ciL
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2100 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2420 jejyi.exe 904 revyw.exe -
Loads dropped DLL 2 IoCs
pid Process 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 2420 jejyi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language revyw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jejyi.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe 904 revyw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2420 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 30 PID 2580 wrote to memory of 2420 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 30 PID 2580 wrote to memory of 2420 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 30 PID 2580 wrote to memory of 2420 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 30 PID 2580 wrote to memory of 2100 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 31 PID 2580 wrote to memory of 2100 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 31 PID 2580 wrote to memory of 2100 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 31 PID 2580 wrote to memory of 2100 2580 a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe 31 PID 2420 wrote to memory of 904 2420 jejyi.exe 34 PID 2420 wrote to memory of 904 2420 jejyi.exe 34 PID 2420 wrote to memory of 904 2420 jejyi.exe 34 PID 2420 wrote to memory of 904 2420 jejyi.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe"C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\jejyi.exe"C:\Users\Admin\AppData\Local\Temp\jejyi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\revyw.exe"C:\Users\Admin\AppData\Local\Temp\revyw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD560e4d1fa0a5f55d23210decdc0f162a5
SHA1a630e36890646fee7f3b15f5dacfd55c23c5f9d8
SHA256e44239c7f1b3e778b0f68db156f50ce12ec49d2577f64e5074adb99cea3e2a92
SHA512374c3ede5b309fbfbc54440d3b8b0d4d2099eaedab19aeb1789990d4584a01eb7d30adb955aedaa0ed52fe4e213884cc290a3dcf79fc234771994a1086179659
-
Filesize
512B
MD5262ef18845f3a44e3d87383ada4c8cd8
SHA1e49afe1a6457232d4e80ee1ef9b7c3cbd805902f
SHA25671616c3d80f1011877210ddae563c1e3aab6f5a1cf74929718699deb0fa2fbb7
SHA5127ce769f1355d6e3171c134be5e8e46724b4791800d58de06f795687ddacea6eb4603bdfea8426104c9d104b63124b9c66ba174fc6efc1a7db8e43034f8f00de1
-
Filesize
331KB
MD58243083c869e1744651f79e8c6aa4f3d
SHA180a0334044c9c8ccdb928a39e9ba62ac80f02081
SHA2562deb5a19bbbfc47e3bc7044a33fd0dfe59002b788c0ab3f56377155a62181392
SHA512205798052ec2fabac9b22006ea3083a660508a58e26f2955269de5e21c0edc3017c6952893f13a6a1805e7a52125327776dc5ad707a83563b5f0d85f97ba509a
-
Filesize
172KB
MD5c808bfdb1ef33dfeac96671c9b709376
SHA1835ac6d64284024f96722bbacf8bc5c59ec2bf15
SHA2562fd0e747bf278c5097804728da935b3885bdde8f33e3ba020aa172f516a5b410
SHA51263cade58e0d4040ffeef82329fe36ce10461e1171ac47cc80952a5e1ead4124eef300b4c1985eb91efca7d392fc01e7143b395b75c143b041607c71b8c7a38ed