Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 02:29
Static task
static1
Behavioral task
behavioral1
Sample
5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
Resource
win7-20240903-en
General
-
Target
5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
-
Size
334KB
-
MD5
aae5733bb4ed466d348eb25664f48520
-
SHA1
94bb4c32f47fd90713f29669a96446d2d09a31db
-
SHA256
5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5
-
SHA512
8c7372c3a0f08727c2a5600ae1f4f8384a6c0348c0e6702992ef722791f5808a046b243e6ea8f7528b93f45aab9b1eca5b5bca6b382ff49d5170f2c3afbacf62
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOcF:vHW138/iXWlK885rKlGSekcj66cin
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2836 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1996 bewoo.exe 2764 giviu.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 1996 bewoo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giviu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bewoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe 2764 giviu.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2980 wrote to memory of 1996 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 31 PID 2980 wrote to memory of 1996 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 31 PID 2980 wrote to memory of 1996 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 31 PID 2980 wrote to memory of 1996 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 31 PID 2980 wrote to memory of 2836 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 32 PID 2980 wrote to memory of 2836 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 32 PID 2980 wrote to memory of 2836 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 32 PID 2980 wrote to memory of 2836 2980 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 32 PID 1996 wrote to memory of 2764 1996 bewoo.exe 35 PID 1996 wrote to memory of 2764 1996 bewoo.exe 35 PID 1996 wrote to memory of 2764 1996 bewoo.exe 35 PID 1996 wrote to memory of 2764 1996 bewoo.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe"C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\bewoo.exe"C:\Users\Admin\AppData\Local\Temp\bewoo.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\giviu.exe"C:\Users\Admin\AppData\Local\Temp\giviu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD56cc0a0f85e04a320a865639a8416b503
SHA1856723f3b651c5aa3eae579152a689133656723c
SHA256104a99d9ac9258a2b7dccb5bb28a849cc22743fa370169e327626227afec2555
SHA5127cd76b3422bfcd0dea7f5e821192e40000d5efda8a3d584e59a12a7f7e0b2b666553f4e2e394803621d36f2e4279056171badeb2568af4358ada1c3f2151b7f3
-
Filesize
334KB
MD5cce4c1ae12cfb43ab9191099d4617bea
SHA1b07ec3ef5a187a3db6c9eac17c43035f2a629806
SHA25678354c7f2a9e2bd3f3a9b83197a53f77a89373a89e6aa691b473208d17b8a875
SHA512656d90203cf71d947990c1a38ff0a5a03dc09a47ce277bb5bae800584d9e125d044639a37221032079e5701b3f967dfb2e7a05e459fc1ef732b596bd4160f2a3
-
Filesize
512B
MD5ec1521d565542fa8adbac634cd261d27
SHA14be395194ea91c496c7bcd241ffe09b4d6c93797
SHA25649356e97514977b468618a7f826abd7b4a18820f2ec3300852a4719207dc8a39
SHA512d0932d372722947c48a9b2a728aea44d54f61831aa00be7ce50c53025225b8d6137356ed38bd179e1fe2ff79017d9a2dec7f548dfb1295a10f2a65adbd6e6090
-
Filesize
334KB
MD5c240f3745097d55a9fc1f9c35f0de4a1
SHA10e8f892e09b2f2473ca0fec7b0c93c19da185b85
SHA256622c0cd2780f98389c2ed08f068fe86819af07ed749bc22f87f20da5d0309eb5
SHA512eaa523840af0acaca5e0480662b89c121f7c7bdb5787a99e2af948e00e3fb2b49bc02ab1364a40559e261105d0e976daac072bdf1f34e1e45ef50164a06fa1f5
-
Filesize
172KB
MD59702f42c8991678e6186e788d222d0b8
SHA1e31a99280d465718f4e66929aa46322e29055dd2
SHA256799245d8f24243bade95fcdbe0d99acaedb7926052a7f08c07ff07b78283ddf9
SHA5124a7b6e516ec9ac4655eff922fefcf26fd918a856960b8eff6232895369cde1d005932058749df87eb76f184ca6d74f34b74e90db284c140505e57f748da23c5e