Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 10:11 UTC
Static task
static1
Behavioral task
behavioral1
Sample
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
Resource
win7-20240708-en
General
-
Target
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
-
Size
334KB
-
MD5
eb2d3d257b3049fc2300c2a67cb9033b
-
SHA1
92ddb111ebc3424ddb8d4a9a62d2b4d429d26bde
-
SHA256
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999
-
SHA512
2cfdf39cdcfcbdb2bd6a909fe2d0228af9b0028b684053cbe1280df36914a557f22d05383ef4839b9845cb6940cffacae2aee830c9e393a006aadaaf2faecffe
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI2:vHW138/iXWlK885rKlGSekcj66ci0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation xyajb.exe -
Executes dropped EXE 2 IoCs
pid Process 64 xyajb.exe 3692 obome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xyajb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe 3692 obome.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 652 wrote to memory of 64 652 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 83 PID 652 wrote to memory of 64 652 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 83 PID 652 wrote to memory of 64 652 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 83 PID 652 wrote to memory of 1912 652 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 84 PID 652 wrote to memory of 1912 652 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 84 PID 652 wrote to memory of 1912 652 8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe 84 PID 64 wrote to memory of 3692 64 xyajb.exe 102 PID 64 wrote to memory of 3692 64 xyajb.exe 102 PID 64 wrote to memory of 3692 64 xyajb.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\xyajb.exe"C:\Users\Admin\AppData\Local\Temp\xyajb.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\obome.exe"C:\Users\Admin\AppData\Local\Temp\obome.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1912
-
Network
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5aea786f52d02e1baedf975956521428e
SHA1c90aa68f34b0a178efa7e236ba1ea0f8acebcebb
SHA256c3f8bd8b4e1f9d029294857059a46a58ea0770aaf56ffe80d2ac4aadd5fc11c0
SHA512f10db91b5572b738e4ecf2c48a6cadf90817635563ab756b83732c4d9fcd958fc6198f3cde764ff4a25a7076799ead4dfe10c82468ced3a28cc6e3122b4f32fd
-
Filesize
512B
MD51ccdb17a21186b19efe2257039d55c07
SHA198b4e5f4a27d44b07a517b83f5e05a77d902d074
SHA25653fc8dafefbdf0c295e911ba20f667ba13a91f1e990290a0bbe2ab1b0934fe28
SHA51209ea8e6bb3a1f0e06211e105a3f571a50727f8275956ad2ce685ed20351fffd4c2fd743a7226c2754a9a0c77c2d5243853a889a8fc1070d96a322adcfae99c08
-
Filesize
172KB
MD51044b54cd3642604bbefc312f215a2b7
SHA1de620aa325e6fa93eb69cdab0058584bcd086440
SHA256711222f2babda364269aee5e984e19a4040a836b5789a7d134c733e0abda4462
SHA51264287f4d1293d144b109fddbdd3f97297f566dfe5acb8f09ac306fd07fc0ea786bc0cb0033a04ca8ab361675b115a305cfc9fbb427858ef2fe273c99ad80dee3
-
Filesize
334KB
MD5281aec06e024dcf0f93e5621ef4abeeb
SHA128f08c4cf2486f84de69c43a1caf8e8ccbefb4d3
SHA256e655959ab00d2e58d5216b93fd2bf74487ae3a0bba2633e487d1c18c83a35904
SHA512f8f203bb5d270154e368466dea655c889dfc8a0dcdc7da9afc7243093dc977d3cefcbd454678911c2294568962960aa35c13b7572a719d8f9fa15df42bdf72b4