Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 12:21

General

  • Target

    776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe

  • Size

    334KB

  • MD5

    6880190130796f515d46f9f542a953e0

  • SHA1

    9266e0bc63bc4647b39d3825c7c2a8977e7a7de4

  • SHA256

    776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17

  • SHA512

    37267d0c0055bf6cd85f94aa0176e9f188a573414cf640096443d6a845049bda69befdec162572bcff137fa50b58da7f60598a7ad89d9b1fed5af7e4f009733a

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ciV

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe
    "C:\Users\Admin\AppData\Local\Temp\776ec9790a94bd2bd57bc4f6667cfc821b691e13e7be1a4110f86680a23c1d17N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\gigop.exe
      "C:\Users\Admin\AppData\Local\Temp\gigop.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Users\Admin\AppData\Local\Temp\jugiy.exe
        "C:\Users\Admin\AppData\Local\Temp\jugiy.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1656
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    4be2edb18f8fe2a8a3343215ac5d05ce

    SHA1

    b2b01b4be8cd105766edb97c7a842bfc938a25b3

    SHA256

    56049cb6a01f1914e8d2d1975a09dc2d843039c184584c17c60ebf360df16f9e

    SHA512

    ba8644f0d6acae70eebcf8a517a32cea890cdddb143876e3b49ab1a803e73ce36f133d5ca0d3b2b9987e4fe90290e1db35a64e318873b488f4caaaa37897b1a3

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    981e37ce0e989c42fd1f0e38c02f318c

    SHA1

    1022119e2cd2f7a9a68a6a89817ea1a357e75b06

    SHA256

    494635392da1354958549561de1a4ede3ab74ee4feb92f635b309fde6595ec3a

    SHA512

    30d4ca43bfdd7941dc212a0dffa07063e386ed4fef7e2eb70b49e33eac9517ca791c920b6b2991fcd42436d3bbfa18bbeab9b32be634359b8f7f763f7af3c9bc

  • \Users\Admin\AppData\Local\Temp\gigop.exe

    Filesize

    334KB

    MD5

    0c33beb1cd457ca30ae662b03d3452b4

    SHA1

    b247d4d6f93230e7da91d1d0d9f1f4d9bedd538f

    SHA256

    b3b3854d4342526aac3dd3bfd02802c7f5ec47088e706b431edeb1958f711a2b

    SHA512

    1caba4e860c88dfdf2c137f2b34caf89e8fae2ea1717828c448949e5f8567461662e196428c2ce7075e27d25bb8f99bac0c195f36f3973fa12914b31bd18e026

  • \Users\Admin\AppData\Local\Temp\jugiy.exe

    Filesize

    172KB

    MD5

    dcd957c7315abe6ec9bdaf8e82a8849e

    SHA1

    7820b8977a4a153c3f9bd9a0c28f0ecb7ed7e0d9

    SHA256

    f33befa7eae0ba6bd8fba7730f623d68a6da36210298a40e1550619768049533

    SHA512

    af75af60902668e2c0c08b09c1ea30be4a7a99d231d6634a5371723cb27356dc0125746c6797c0f9a79133b3bb8edd3b270df5140c07ee1f513b7c162b5fc6d5

  • memory/1656-47-0x0000000001050000-0x00000000010E9000-memory.dmp

    Filesize

    612KB

  • memory/1656-46-0x0000000001050000-0x00000000010E9000-memory.dmp

    Filesize

    612KB

  • memory/1656-41-0x0000000001050000-0x00000000010E9000-memory.dmp

    Filesize

    612KB

  • memory/1656-42-0x0000000001050000-0x00000000010E9000-memory.dmp

    Filesize

    612KB

  • memory/2540-11-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2540-23-0x00000000013A0000-0x0000000001421000-memory.dmp

    Filesize

    516KB

  • memory/2540-24-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2540-40-0x00000000013A0000-0x0000000001421000-memory.dmp

    Filesize

    516KB

  • memory/3004-20-0x0000000001100000-0x0000000001181000-memory.dmp

    Filesize

    516KB

  • memory/3004-0-0x0000000001100000-0x0000000001181000-memory.dmp

    Filesize

    516KB

  • memory/3004-7-0x0000000002C30000-0x0000000002CB1000-memory.dmp

    Filesize

    516KB

  • memory/3004-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB