Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
78s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 06:20
Behavioral task
behavioral1
Sample
943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
Resource
win7-20240903-en
General
-
Target
943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
-
Size
337KB
-
MD5
a180800232f58a1f6096d76c594bf860
-
SHA1
4f5ff11730ec328878bc3e6f23e4f060dc20b2a0
-
SHA256
943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702
-
SHA512
9592f1979aa1f1363203de4e125421c1697748aa033d5792f320b9ce02a1215f9e18539ad5ccac5df3f12d7301986370d45c38b1ec7504ddc0dbd1611724c852
-
SSDEEP
6144:4x4ITLKT/MUbCYqLbbCM2dWwh3gNUie2Jy+5vmSZGpd:4x4+LmMUbXq/byKLe2JPFS
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
resource yara_rule behavioral1/files/0x0008000000015d0e-12.dat aspack_v212_v242 behavioral1/files/0x0009000000015d41-40.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2360 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1620 ebzuy.exe 2600 wyfuv.exe -
Loads dropped DLL 2 IoCs
pid Process 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 1620 ebzuy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyfuv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebzuy.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe 2600 wyfuv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1620 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 30 PID 1704 wrote to memory of 1620 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 30 PID 1704 wrote to memory of 1620 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 30 PID 1704 wrote to memory of 1620 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 30 PID 1704 wrote to memory of 2360 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 31 PID 1704 wrote to memory of 2360 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 31 PID 1704 wrote to memory of 2360 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 31 PID 1704 wrote to memory of 2360 1704 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 31 PID 1620 wrote to memory of 2600 1620 ebzuy.exe 34 PID 1620 wrote to memory of 2600 1620 ebzuy.exe 34 PID 1620 wrote to memory of 2600 1620 ebzuy.exe 34 PID 1620 wrote to memory of 2600 1620 ebzuy.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe"C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\ebzuy.exe"C:\Users\Admin\AppData\Local\Temp\ebzuy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\wyfuv.exe"C:\Users\Admin\AppData\Local\Temp\wyfuv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5e91efa32c84a1881b1d18e4f5ad1ad2f
SHA15dcb841f644605b0266eb3a46590826751165615
SHA256c186755c7beb23e3f69536ec56b6158f429cffb00a917b8b7e7573a5f4d55ed3
SHA5126e43bdee1cd15e66f1aeec474188de3402b5c75af2191fc45d16662ad75c697d1984af8b6aebf590fd2ccc0d9d0f36eb2745e2854b886472e3883ea03f876749
-
Filesize
337KB
MD550c917ed0aeca78dd0d131165258b863
SHA1aa6db4f0ca07d0792290309b003d42cf9094e12b
SHA2569ec3e319b904ea615cfb927c6c9e2be6ea5fadbbfb95923f4f5b3ea3d2ee83df
SHA512a946017b4b73647ab131d417ebbd91bc62d34fcbcd2987dec2d78219a4b91918ef1225ca525e26908978e18cde836a1251daa79c6ac3652b5bd0906d6bc60242
-
Filesize
512B
MD5cca0f9e42ab0d43594932d2abb4972a5
SHA103485008474adc2774822bc2265719e95e98de45
SHA256e5e959c221bf509ffe2c8cba61c5a84b84d1f7ae19a7847aabab8eb92f146ed5
SHA5124002ebb6ac2c6c7798b5dabe2331e75e31c2dd11aa86db2fb0b1fc6b597f35a5730e8b8dfc5bee004da56a6e9dfe65deef0ce0c814bba0ecf58e96f9af9fc86b
-
Filesize
225KB
MD57430d38590273ca061b582058ed8bc20
SHA13d406937b620f6b40453370b62f51b9e4afc2c5d
SHA25609792f4c43466d5a16c51eabb1a0ead03a2fba14464630b321dd3939113e60e2
SHA5122b23253293d9ae66c5249e75378a8404ee0b8b873e89b1ed059c13c6768022e667112851a4bf8f5dd47e405b4ff11815b1a4a93d6ef7aa8eaefce647357ce81d