Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 10:11 UTC
Static task
static1
Behavioral task
behavioral1
Sample
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
Resource
win7-20240708-en
General
-
Target
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
-
Size
334KB
-
MD5
eb2d3d257b3049fc2300c2a67cb9033b
-
SHA1
92ddb111ebc3424ddb8d4a9a62d2b4d429d26bde
-
SHA256
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999
-
SHA512
2cfdf39cdcfcbdb2bd6a909fe2d0228af9b0028b684053cbe1280df36914a557f22d05383ef4839b9845cb6940cffacae2aee830c9e393a006aadaaf2faecffe
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI2:vHW138/iXWlK885rKlGSekcj66ci0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2228 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2528 omfox.exe 1948 zusyw.exe -
Loads dropped DLL 2 IoCs
pid Process 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 2528 omfox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omfox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zusyw.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe 1948 zusyw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2528 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 30 PID 2280 wrote to memory of 2528 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 30 PID 2280 wrote to memory of 2528 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 30 PID 2280 wrote to memory of 2528 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 30 PID 2280 wrote to memory of 2228 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 31 PID 2280 wrote to memory of 2228 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 31 PID 2280 wrote to memory of 2228 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 31 PID 2280 wrote to memory of 2228 2280 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 31 PID 2528 wrote to memory of 1948 2528 omfox.exe 34 PID 2528 wrote to memory of 1948 2528 omfox.exe 34 PID 2528 wrote to memory of 1948 2528 omfox.exe 34 PID 2528 wrote to memory of 1948 2528 omfox.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\omfox.exe"C:\Users\Admin\AppData\Local\Temp\omfox.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\zusyw.exe"C:\Users\Admin\AppData\Local\Temp\zusyw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5aea786f52d02e1baedf975956521428e
SHA1c90aa68f34b0a178efa7e236ba1ea0f8acebcebb
SHA256c3f8bd8b4e1f9d029294857059a46a58ea0770aaf56ffe80d2ac4aadd5fc11c0
SHA512f10db91b5572b738e4ecf2c48a6cadf90817635563ab756b83732c4d9fcd958fc6198f3cde764ff4a25a7076799ead4dfe10c82468ced3a28cc6e3122b4f32fd
-
Filesize
512B
MD59a28693880857f378c5fc8b4eeac6c98
SHA1f007587a07a03541181ca64a99fd2ca673ab0d25
SHA256780bc11394c3634fc9eb88253acf7e9af9495377eee6b3f2b7e94461647c88b3
SHA5129b3085fde0ad1284d86ac57c343a392f2afe06d90a5ee093105c19042acfa60aab559e582b10622a326498db60abc70eaa6f4358ad45a86b939308f3eb8b3d9a
-
Filesize
334KB
MD564403b6f699ef0d027ad051bf28976b5
SHA1d3e5ab1929c88be1565622b16ea92f881a4cc50c
SHA25637c756520f85b8345e37850930439430368fc61ede8d935c96abe4c154c928bf
SHA51245814238f75cf61ab0a13136ee12d35d2d81e6491aa388d30492b0918511e5ab09b2e74f9c6f6695a16cad0706a8e3e382c1417b72d33bb2331259e0dd22d3eb
-
Filesize
172KB
MD524c5c4f1eeed7f39fdc6727dc0e8c06d
SHA140e30189dcd6c178df756b3c882471bc419bc392
SHA25605443f984f2b6bfb584dc5ef8155127996c68a7524f8d52e80c5ac07c2574b2a
SHA5128e44685befb0a7ef6b7087e96659b149728f8c52a833ee0111ce126ad9bca866f2fad28780a0dad14b63170499ea2cfcb6e131accd3fbfd6f5d376d3ca028e3f