Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05/12/2024, 10:11 UTC
General
-
Target
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe
-
Size
334KB
-
MD5
eb2d3d257b3049fc2300c2a67cb9033b
-
SHA1
92ddb111ebc3424ddb8d4a9a62d2b4d429d26bde
-
SHA256
8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999
-
SHA512
2cfdf39cdcfcbdb2bd6a909fe2d0228af9b0028b684053cbe1280df36914a557f22d05383ef4839b9845cb6940cffacae2aee830c9e393a006aadaaf2faecffe
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI2:vHW138/iXWlK885rKlGSekcj66ci0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"C:\Users\Admin\AppData\Local\Temp\8900e16788ffccb1ca92d7e52964ab6190012e1fe1a999fd527b001c78daa999.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xyajb.exe"C:\Users\Admin\AppData\Local\Temp\xyajb.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\obome.exe"C:\Users\Admin\AppData\Local\Temp\obome.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
-
DNS228.249.119.40.in-addr.arpaRemote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse -
DNS133.32.126.40.in-addr.arpaRemote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
DNS209.205.72.20.in-addr.arpaRemote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
DNS200.163.202.172.in-addr.arpaRemote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
DNS171.39.242.20.in-addr.arpaRemote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
DNS86.49.80.91.in-addr.arpaRemote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
DNS172.214.232.199.in-addr.arpaRemote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
218.54.31.226:11300 -
1.234.83.146:11170
-
218.54.31.166:11300
-
133.242.129.155:11300
-
8.8.8.8:53228.249.119.40.in-addr.arpadns
DNS Request
228.249.119.40.in-addr.arpa
-
8.8.8.8:53133.32.126.40.in-addr.arpadns
DNS Request
133.32.126.40.in-addr.arpa
-
8.8.8.8:53209.205.72.20.in-addr.arpadns
DNS Request
209.205.72.20.in-addr.arpa
-
8.8.8.8:53200.163.202.172.in-addr.arpadns
DNS Request
200.163.202.172.in-addr.arpa
-
8.8.8.8:53171.39.242.20.in-addr.arpadns
DNS Request
171.39.242.20.in-addr.arpa
-
8.8.8.8:5386.49.80.91.in-addr.arpadns
DNS Request
86.49.80.91.in-addr.arpa
-
8.8.8.8:53172.214.232.199.in-addr.arpadns
DNS Request
172.214.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5aea786f52d02e1baedf975956521428e
SHA1c90aa68f34b0a178efa7e236ba1ea0f8acebcebb
SHA256c3f8bd8b4e1f9d029294857059a46a58ea0770aaf56ffe80d2ac4aadd5fc11c0
SHA512f10db91b5572b738e4ecf2c48a6cadf90817635563ab756b83732c4d9fcd958fc6198f3cde764ff4a25a7076799ead4dfe10c82468ced3a28cc6e3122b4f32fd
-
Filesize
512B
MD51ccdb17a21186b19efe2257039d55c07
SHA198b4e5f4a27d44b07a517b83f5e05a77d902d074
SHA25653fc8dafefbdf0c295e911ba20f667ba13a91f1e990290a0bbe2ab1b0934fe28
SHA51209ea8e6bb3a1f0e06211e105a3f571a50727f8275956ad2ce685ed20351fffd4c2fd743a7226c2754a9a0c77c2d5243853a889a8fc1070d96a322adcfae99c08
-
Filesize
172KB
MD51044b54cd3642604bbefc312f215a2b7
SHA1de620aa325e6fa93eb69cdab0058584bcd086440
SHA256711222f2babda364269aee5e984e19a4040a836b5789a7d134c733e0abda4462
SHA51264287f4d1293d144b109fddbdd3f97297f566dfe5acb8f09ac306fd07fc0ea786bc0cb0033a04ca8ab361675b115a305cfc9fbb427858ef2fe273c99ad80dee3
-
Filesize
334KB
MD5281aec06e024dcf0f93e5621ef4abeeb
SHA128f08c4cf2486f84de69c43a1caf8e8ccbefb4d3
SHA256e655959ab00d2e58d5216b93fd2bf74487ae3a0bba2633e487d1c18c83a35904
SHA512f8f203bb5d270154e368466dea655c889dfc8a0dcdc7da9afc7243093dc977d3cefcbd454678911c2294568962960aa35c13b7572a719d8f9fa15df42bdf72b4
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB