Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 02:29

General

  • Target

    5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe

  • Size

    334KB

  • MD5

    aae5733bb4ed466d348eb25664f48520

  • SHA1

    94bb4c32f47fd90713f29669a96446d2d09a31db

  • SHA256

    5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5

  • SHA512

    8c7372c3a0f08727c2a5600ae1f4f8384a6c0348c0e6702992ef722791f5808a046b243e6ea8f7528b93f45aab9b1eca5b5bca6b382ff49d5170f2c3afbacf62

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOcF:vHW138/iXWlK885rKlGSekcj66cin

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
    "C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\bewoo.exe
      "C:\Users\Admin\AppData\Local\Temp\bewoo.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Local\Temp\giviu.exe
        "C:\Users\Admin\AppData\Local\Temp\giviu.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2764
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    6cc0a0f85e04a320a865639a8416b503

    SHA1

    856723f3b651c5aa3eae579152a689133656723c

    SHA256

    104a99d9ac9258a2b7dccb5bb28a849cc22743fa370169e327626227afec2555

    SHA512

    7cd76b3422bfcd0dea7f5e821192e40000d5efda8a3d584e59a12a7f7e0b2b666553f4e2e394803621d36f2e4279056171badeb2568af4358ada1c3f2151b7f3

  • C:\Users\Admin\AppData\Local\Temp\bewoo.exe

    Filesize

    334KB

    MD5

    cce4c1ae12cfb43ab9191099d4617bea

    SHA1

    b07ec3ef5a187a3db6c9eac17c43035f2a629806

    SHA256

    78354c7f2a9e2bd3f3a9b83197a53f77a89373a89e6aa691b473208d17b8a875

    SHA512

    656d90203cf71d947990c1a38ff0a5a03dc09a47ce277bb5bae800584d9e125d044639a37221032079e5701b3f967dfb2e7a05e459fc1ef732b596bd4160f2a3

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    ec1521d565542fa8adbac634cd261d27

    SHA1

    4be395194ea91c496c7bcd241ffe09b4d6c93797

    SHA256

    49356e97514977b468618a7f826abd7b4a18820f2ec3300852a4719207dc8a39

    SHA512

    d0932d372722947c48a9b2a728aea44d54f61831aa00be7ce50c53025225b8d6137356ed38bd179e1fe2ff79017d9a2dec7f548dfb1295a10f2a65adbd6e6090

  • \Users\Admin\AppData\Local\Temp\bewoo.exe

    Filesize

    334KB

    MD5

    c240f3745097d55a9fc1f9c35f0de4a1

    SHA1

    0e8f892e09b2f2473ca0fec7b0c93c19da185b85

    SHA256

    622c0cd2780f98389c2ed08f068fe86819af07ed749bc22f87f20da5d0309eb5

    SHA512

    eaa523840af0acaca5e0480662b89c121f7c7bdb5787a99e2af948e00e3fb2b49bc02ab1364a40559e261105d0e976daac072bdf1f34e1e45ef50164a06fa1f5

  • \Users\Admin\AppData\Local\Temp\giviu.exe

    Filesize

    172KB

    MD5

    9702f42c8991678e6186e788d222d0b8

    SHA1

    e31a99280d465718f4e66929aa46322e29055dd2

    SHA256

    799245d8f24243bade95fcdbe0d99acaedb7926052a7f08c07ff07b78283ddf9

    SHA512

    4a7b6e516ec9ac4655eff922fefcf26fd918a856960b8eff6232895369cde1d005932058749df87eb76f184ca6d74f34b74e90db284c140505e57f748da23c5e

  • memory/1996-23-0x00000000012C0000-0x0000000001341000-memory.dmp

    Filesize

    516KB

  • memory/1996-20-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/1996-16-0x00000000012C0000-0x0000000001341000-memory.dmp

    Filesize

    516KB

  • memory/1996-35-0x0000000003310000-0x00000000033A9000-memory.dmp

    Filesize

    612KB

  • memory/1996-40-0x00000000012C0000-0x0000000001341000-memory.dmp

    Filesize

    516KB

  • memory/2764-44-0x0000000000200000-0x0000000000299000-memory.dmp

    Filesize

    612KB

  • memory/2764-41-0x0000000000200000-0x0000000000299000-memory.dmp

    Filesize

    612KB

  • memory/2764-47-0x0000000000200000-0x0000000000299000-memory.dmp

    Filesize

    612KB

  • memory/2764-48-0x0000000000200000-0x0000000000299000-memory.dmp

    Filesize

    612KB

  • memory/2980-19-0x0000000001100000-0x0000000001181000-memory.dmp

    Filesize

    516KB

  • memory/2980-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2980-0-0x0000000001100000-0x0000000001181000-memory.dmp

    Filesize

    516KB