Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 02:29
Static task
static1
Behavioral task
behavioral1
Sample
5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
Resource
win7-20240903-en
General
-
Target
5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
-
Size
334KB
-
MD5
aae5733bb4ed466d348eb25664f48520
-
SHA1
94bb4c32f47fd90713f29669a96446d2d09a31db
-
SHA256
5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5
-
SHA512
8c7372c3a0f08727c2a5600ae1f4f8384a6c0348c0e6702992ef722791f5808a046b243e6ea8f7528b93f45aab9b1eca5b5bca6b382ff49d5170f2c3afbacf62
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOcF:vHW138/iXWlK885rKlGSekcj66cin
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ridop.exe -
Executes dropped EXE 2 IoCs
pid Process 316 ridop.exe 1880 duzoz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ridop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duzoz.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe 1880 duzoz.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3124 wrote to memory of 316 3124 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 82 PID 3124 wrote to memory of 316 3124 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 82 PID 3124 wrote to memory of 316 3124 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 82 PID 3124 wrote to memory of 4904 3124 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 83 PID 3124 wrote to memory of 4904 3124 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 83 PID 3124 wrote to memory of 4904 3124 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe 83 PID 316 wrote to memory of 1880 316 ridop.exe 94 PID 316 wrote to memory of 1880 316 ridop.exe 94 PID 316 wrote to memory of 1880 316 ridop.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe"C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\ridop.exe"C:\Users\Admin\AppData\Local\Temp\ridop.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\duzoz.exe"C:\Users\Admin\AppData\Local\Temp\duzoz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD56cc0a0f85e04a320a865639a8416b503
SHA1856723f3b651c5aa3eae579152a689133656723c
SHA256104a99d9ac9258a2b7dccb5bb28a849cc22743fa370169e327626227afec2555
SHA5127cd76b3422bfcd0dea7f5e821192e40000d5efda8a3d584e59a12a7f7e0b2b666553f4e2e394803621d36f2e4279056171badeb2568af4358ada1c3f2151b7f3
-
Filesize
172KB
MD564e044611499ebe0e2584526bc7d15cb
SHA1ffef87e2fed5d9982cd7dd4ca507f16023c0941e
SHA25691745f1863484c6973814bf8bf5808f48a57fd44e9d914dc0de934ddebd8a35d
SHA5120dac1f2c3b9a6b38bb23f3c1efffcc556efcec3a71bdf7fa56c7b9cdf749e25e2bc490273b8b8c10bf791dbdbf8e8eb5b5558027f869879f956808c371d2dd8a
-
Filesize
512B
MD59d1713aac733e94b46da029077ed72e2
SHA15258889cd68c8cfd2e1b1fd402da84b84124f9cd
SHA2560dc2bbeacdedfbd1e8b950c15bb8fd84ab0b58deccd857cdfd6d92811d083670
SHA512c65f6294c212b171f60516a67d1bfaf332fb637797ebbe4f25f9b8d752dfecd41be75228b207908298d30bb4ef579ad75773f8ae298e336a21b784f0874989b3
-
Filesize
334KB
MD57ae9710bad7b04f098e5223483da24bf
SHA189567e6046891e7c8c14f25dee612455c972749d
SHA25631205a2c66b39989dd0e8a198e76f2de7c2b8713af583de829b459aae31c1c8a
SHA5123f1b22fd4c4879b1a0d22a530b82d2e0acc3f32caef689a7b97838dd36e0760fe04d1c93ab8308a395eaffedb5b9dc0cac436b28fc928e46c3ef4c8ffa7b5554