Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/10/2024, 07:38

General

  • Target

    a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe

  • Size

    331KB

  • MD5

    0b13ddcce57bf9df654cb55a64316040

  • SHA1

    84e0c65017a393700e2fb8a987b556ea2bcccaaa

  • SHA256

    a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8

  • SHA512

    7f72e5cf8ec2c0ef3babbf4b666c426843f76196d98efe6b09412e7378c089c8fd5fbaa71573004bad018a255d62918fd38f184ac77f5198a8a3e43a2f8782e9

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66ciL

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe
    "C:\Users\Admin\AppData\Local\Temp\a2d77a210a565481d279db49f7acbf7b897f91fe8e9e58938064444ca91573d8N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Temp\jejyi.exe
      "C:\Users\Admin\AppData\Local\Temp\jejyi.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Users\Admin\AppData\Local\Temp\revyw.exe
        "C:\Users\Admin\AppData\Local\Temp\revyw.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    60e4d1fa0a5f55d23210decdc0f162a5

    SHA1

    a630e36890646fee7f3b15f5dacfd55c23c5f9d8

    SHA256

    e44239c7f1b3e778b0f68db156f50ce12ec49d2577f64e5074adb99cea3e2a92

    SHA512

    374c3ede5b309fbfbc54440d3b8b0d4d2099eaedab19aeb1789990d4584a01eb7d30adb955aedaa0ed52fe4e213884cc290a3dcf79fc234771994a1086179659

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    262ef18845f3a44e3d87383ada4c8cd8

    SHA1

    e49afe1a6457232d4e80ee1ef9b7c3cbd805902f

    SHA256

    71616c3d80f1011877210ddae563c1e3aab6f5a1cf74929718699deb0fa2fbb7

    SHA512

    7ce769f1355d6e3171c134be5e8e46724b4791800d58de06f795687ddacea6eb4603bdfea8426104c9d104b63124b9c66ba174fc6efc1a7db8e43034f8f00de1

  • \Users\Admin\AppData\Local\Temp\jejyi.exe

    Filesize

    331KB

    MD5

    8243083c869e1744651f79e8c6aa4f3d

    SHA1

    80a0334044c9c8ccdb928a39e9ba62ac80f02081

    SHA256

    2deb5a19bbbfc47e3bc7044a33fd0dfe59002b788c0ab3f56377155a62181392

    SHA512

    205798052ec2fabac9b22006ea3083a660508a58e26f2955269de5e21c0edc3017c6952893f13a6a1805e7a52125327776dc5ad707a83563b5f0d85f97ba509a

  • \Users\Admin\AppData\Local\Temp\revyw.exe

    Filesize

    172KB

    MD5

    c808bfdb1ef33dfeac96671c9b709376

    SHA1

    835ac6d64284024f96722bbacf8bc5c59ec2bf15

    SHA256

    2fd0e747bf278c5097804728da935b3885bdde8f33e3ba020aa172f516a5b410

    SHA512

    63cade58e0d4040ffeef82329fe36ce10461e1171ac47cc80952a5e1ead4124eef300b4c1985eb91efca7d392fc01e7143b395b75c143b041607c71b8c7a38ed

  • memory/904-48-0x0000000000DF0000-0x0000000000E89000-memory.dmp

    Filesize

    612KB

  • memory/904-47-0x0000000000DF0000-0x0000000000E89000-memory.dmp

    Filesize

    612KB

  • memory/904-43-0x0000000000DF0000-0x0000000000E89000-memory.dmp

    Filesize

    612KB

  • memory/904-42-0x0000000000DF0000-0x0000000000E89000-memory.dmp

    Filesize

    612KB

  • memory/2420-24-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2420-23-0x0000000000A80000-0x0000000000B01000-memory.dmp

    Filesize

    516KB

  • memory/2420-41-0x0000000000A80000-0x0000000000B01000-memory.dmp

    Filesize

    516KB

  • memory/2420-18-0x0000000000A80000-0x0000000000B01000-memory.dmp

    Filesize

    516KB

  • memory/2420-39-0x0000000003290000-0x0000000003329000-memory.dmp

    Filesize

    612KB

  • memory/2420-20-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2580-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2580-19-0x00000000009D0000-0x0000000000A51000-memory.dmp

    Filesize

    516KB

  • memory/2580-0-0x00000000009D0000-0x0000000000A51000-memory.dmp

    Filesize

    516KB