Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8900e16788...99.exe

windows7-x64

10

8900e16788...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 10:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe

  • Size

    334KB

  • MD5

    eb2d3d257b3049fc2300c2a67cb9033b

  • SHA1

    92ddb111ebc3424ddb8d4a9a62d2b4d429d26bde

  • SHA256

    8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999

  • SHA512

    2cfdf39cdcfcbdb2bd6a909fe2d0228af9b0028b684053cbe1280df36914a557f22d05383ef4839b9845cb6940cffacae2aee830c9e393a006aadaaf2faecffe

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI2:vHW138/iXWlK885rKlGSekcj66ci0

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
    "C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\omfox.exe
      "C:\Users\Admin\AppData\Local\Temp\omfox.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Local\Temp\zusyw.exe
        "C:\Users\Admin\AppData\Local\Temp\zusyw.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2228

Network

    No results found
  • 218.54.31.226:11300
    omfox.exe
    152 B
     3
  • 1.234.83.146:11170
    omfox.exe
    152 B
     3
  • 218.54.31.166:11300
    omfox.exe
    152 B
     3
  • 133.242.129.155:11300
    omfox.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    aea786f52d02e1baedf975956521428e

    SHA1

    c90aa68f34b0a178efa7e236ba1ea0f8acebcebb

    SHA256

    c3f8bd8b4e1f9d029294857059a46a58ea0770aaf56ffe80d2ac4aadd5fc11c0

    SHA512

    f10db91b5572b738e4ecf2c48a6cadf90817635563ab756b83732c4d9fcd958fc6198f3cde764ff4a25a7076799ead4dfe10c82468ced3a28cc6e3122b4f32fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    9a28693880857f378c5fc8b4eeac6c98

    SHA1

    f007587a07a03541181ca64a99fd2ca673ab0d25

    SHA256

    780bc11394c3634fc9eb88253acf7e9af9495377eee6b3f2b7e94461647c88b3

    SHA512

    9b3085fde0ad1284d86ac57c343a392f2afe06d90a5ee093105c19042acfa60aab559e582b10622a326498db60abc70eaa6f4358ad45a86b939308f3eb8b3d9a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\omfox.exe
    Filesize

    334KB

    MD5

    64403b6f699ef0d027ad051bf28976b5

    SHA1

    d3e5ab1929c88be1565622b16ea92f881a4cc50c

    SHA256

    37c756520f85b8345e37850930439430368fc61ede8d935c96abe4c154c928bf

    SHA512

    45814238f75cf61ab0a13136ee12d35d2d81e6491aa388d30492b0918511e5ab09b2e74f9c6f6695a16cad0706a8e3e382c1417b72d33bb2331259e0dd22d3eb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\zusyw.exe
    Filesize

    172KB

    MD5

    24c5c4f1eeed7f39fdc6727dc0e8c06d

    SHA1

    40e30189dcd6c178df756b3c882471bc419bc392

    SHA256

    05443f984f2b6bfb584dc5ef8155127996c68a7524f8d52e80c5ac07c2574b2a

    SHA512

    8e44685befb0a7ef6b7087e96659b149728f8c52a833ee0111ce126ad9bca866f2fad28780a0dad14b63170499ea2cfcb6e131accd3fbfd6f5d376d3ca028e3f

    Download Submit

  • memory/1948-49-0x00000000010C0000-0x0000000001159000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1948-46-0x00000000010C0000-0x0000000001159000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1948-47-0x00000000010C0000-0x0000000001159000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1948-50-0x00000000010C0000-0x0000000001159000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1948-42-0x00000000010C0000-0x0000000001159000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1948-48-0x00000000010C0000-0x0000000001159000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1948-41-0x00000000010C0000-0x0000000001159000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2280-6-0x00000000029C0000-0x0000000002A41000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2280-0-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2280-20-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2280-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2528-23-0x0000000000D00000-0x0000000000D81000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2528-38-0x0000000002440000-0x00000000024D9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2528-39-0x0000000000D00000-0x0000000000D81000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2528-12-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.