Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 03:18
Behavioral task
behavioral1
Sample
da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
Resource
win7-20240729-en
General
-
Target
da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe
-
Size
514KB
-
MD5
91b0994aae31d7a21d910f3022501e9d
-
SHA1
53cc2876b04a7e80ef64f7c2cb8f28b4de652176
-
SHA256
da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f
-
SHA512
57aa2a357a9483bed17eb5bda655fd9cec4f592a649867e1aea4d89b9e723ed4be2d0219c2750317454fc098ccb310b2e42ffec3bd19c2e17a121a90e50caa72
-
SSDEEP
12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo1:3MUv2LAv9AQ1p4dKI
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation hoxip.exe -
Executes dropped EXE 2 IoCs
pid Process 5008 hoxip.exe 320 dobuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hoxip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dobuk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe 320 dobuk.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3016 wrote to memory of 5008 3016 da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe 83 PID 3016 wrote to memory of 5008 3016 da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe 83 PID 3016 wrote to memory of 5008 3016 da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe 83 PID 3016 wrote to memory of 3024 3016 da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe 84 PID 3016 wrote to memory of 3024 3016 da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe 84 PID 3016 wrote to memory of 3024 3016 da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe 84 PID 5008 wrote to memory of 320 5008 hoxip.exe 104 PID 5008 wrote to memory of 320 5008 hoxip.exe 104 PID 5008 wrote to memory of 320 5008 hoxip.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe"C:\Users\Admin\AppData\Local\Temp\da19e1cec5aa6bbd039dfb413ca66d162fcf612714e6ea35efe8126a9ad5056f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\hoxip.exe"C:\Users\Admin\AppData\Local\Temp\hoxip.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\dobuk.exe"C:\Users\Admin\AppData\Local\Temp\dobuk.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD535817d34375f348ae1f9b91d661b2ffe
SHA1feabcd3b81cd5ad05fab936a28ba487b61566ba5
SHA2563549519a27d8c0675de160580f4c34114920ecadefe039d0b7043bf0517b5646
SHA512962fbf205d3af9b760189edb85bc3fc23ec7c0c64d3ee60497bb1df7dc65d78f186acd1e42a388311c05900f4ab25203f251f14349193e2c3a43ba17d40d83bd
-
Filesize
172KB
MD524052b045c34c7561d19a42ac2475c98
SHA1d83e97e58d8a94bf348304377b18ccf17aa958cf
SHA25646352efc90f1608ff5511a7721c92137703e93cbc06b1cbaee41b1c79d4662bf
SHA512e4bfe7342e3cfdc9d367083fc61d22589ce69e94873033c5d55acd57bb326c6310991edf405e9e325702a164fc5755e411e1cc45918baedc75532820b4b5024e
-
Filesize
512B
MD5feae456e528c6b16a7d75cd0bcc096af
SHA1fa8bb10bfdb38bfe1bf0e4e6e8a6c9c9241b9c31
SHA25650ce361daf5c1f04ca5807e25ef9896cdf2108b4e8bc22547a80ac827c03bbbc
SHA51287f7ec41301c2cf45e602fc856b7a0d089f8b99aa845fe62fe97cd0940f7b03343b34333287b38deb109843b8e32c83d3518c9eea7cb09a85fa186de93b17191
-
Filesize
514KB
MD5a8d6748adf76c4e3c066fdff985cb3c3
SHA192189e53edd37a46d850c1dfbf90e03a4d9bdb55
SHA256d4ebd8665d2957247a8337d1ab3389fb772ee53882e065367f59b4eb34a6aef0
SHA512f38fdd5c962b1caf97310cb7a0e7350b3d871dcce1b614ed74f330da1dcac719144a092fb6c2ad0b5fc57c86d27c2b7a85962932535c0fadd210602253092b6d