Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 06:20
Behavioral task
behavioral1
Sample
943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
Resource
win7-20240903-en
General
-
Target
943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
-
Size
337KB
-
MD5
a180800232f58a1f6096d76c594bf860
-
SHA1
4f5ff11730ec328878bc3e6f23e4f060dc20b2a0
-
SHA256
943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702
-
SHA512
9592f1979aa1f1363203de4e125421c1697748aa033d5792f320b9ce02a1215f9e18539ad5ccac5df3f12d7301986370d45c38b1ec7504ddc0dbd1611724c852
-
SSDEEP
6144:4x4ITLKT/MUbCYqLbbCM2dWwh3gNUie2Jy+5vmSZGpd:4x4+LmMUbXq/byKLe2JPFS
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
resource yara_rule behavioral2/files/0x000a000000023b96-10.dat aspack_v212_v242 behavioral2/files/0x0005000000000034-39.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ovtoe.exe -
Executes dropped EXE 2 IoCs
pid Process 4164 ovtoe.exe 2272 jofuv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ovtoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jofuv.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe 2272 jofuv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 324 wrote to memory of 4164 324 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 82 PID 324 wrote to memory of 4164 324 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 82 PID 324 wrote to memory of 4164 324 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 82 PID 324 wrote to memory of 2388 324 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 83 PID 324 wrote to memory of 2388 324 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 83 PID 324 wrote to memory of 2388 324 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe 83 PID 4164 wrote to memory of 2272 4164 ovtoe.exe 94 PID 4164 wrote to memory of 2272 4164 ovtoe.exe 94 PID 4164 wrote to memory of 2272 4164 ovtoe.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe"C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\ovtoe.exe"C:\Users\Admin\AppData\Local\Temp\ovtoe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\jofuv.exe"C:\Users\Admin\AppData\Local\Temp\jofuv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5e91efa32c84a1881b1d18e4f5ad1ad2f
SHA15dcb841f644605b0266eb3a46590826751165615
SHA256c186755c7beb23e3f69536ec56b6158f429cffb00a917b8b7e7573a5f4d55ed3
SHA5126e43bdee1cd15e66f1aeec474188de3402b5c75af2191fc45d16662ad75c697d1984af8b6aebf590fd2ccc0d9d0f36eb2745e2854b886472e3883ea03f876749
-
Filesize
512B
MD5f41e5073eba3c4458e9f9e7ab0787180
SHA1095bf5420b6d765d05f521934e2bc1f2af93574d
SHA25661c09a12d4029e7f900452758b99ace9e3aaaac18d14f04618e69974567fa3ce
SHA5123ec35f05b813bae8a8c16a0a3010e875f3cfa2fdc362034d9fc97bec466fa67aab1dac787a8028ffd74e61ec270f0de208d65217c6250b532aaa3f632eb2b9e3
-
Filesize
225KB
MD56f3ba4b96863e39b167f0e8c0903125a
SHA1707152bd7494783652b7ed2aacc3a4b8955657ef
SHA2562ec92e482ea6409b3eba3edf535e671dcea2823e0e335d9ac0cdd0bac39a4dfd
SHA5129cd0f221c56b4c701ce16ac438ea22364785cc194e353ea976c8dd3052b0d2d36857683bb33c27722782393e5f65ee7d0c132f6268af37b69675e7a808b13538
-
Filesize
337KB
MD5c10773aaeccafb9068239bc64debdf53
SHA1a10d8a26d22f32b47492da64f5a078b2b226435b
SHA2565a1a674b1a6740508a8d2e9e59d9b30d2314111268ef5ed8022704299192a467
SHA512e54b1c4f59da55b04f4542b84b4164db78d16a708b23872fee7f49c2e6bf1913a617ca6c97d25c062e53db03754a2a8fc4f0756fe5e8a066a2dfb2d6ec40d8f4