Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
Resource
win7-20240903-en
General
-
Target
b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
-
Size
334KB
-
MD5
48c754b5a0b4931fb08ad6a060c6f3c5
-
SHA1
3056f95cc54e0a8ee01bb930e279e876c4bc1c45
-
SHA256
b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691
-
SHA512
bb175497b013686162ce71fb8112f16b4ab0746357612fd0fa9406b727ff3907ef7ec96459e3e05163e380cb84bd6a737667299c2ccea65df5579df9071d6b94
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9U:vHW138/iXWlK885rKlGSekcj66ciIU
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2216 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 304 rokoe.exe 1852 duafh.exe -
Loads dropped DLL 2 IoCs
pid Process 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 304 rokoe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rokoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duafh.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe 1852 duafh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1800 wrote to memory of 304 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 31 PID 1800 wrote to memory of 304 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 31 PID 1800 wrote to memory of 304 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 31 PID 1800 wrote to memory of 304 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 31 PID 1800 wrote to memory of 2216 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 32 PID 1800 wrote to memory of 2216 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 32 PID 1800 wrote to memory of 2216 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 32 PID 1800 wrote to memory of 2216 1800 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 32 PID 304 wrote to memory of 1852 304 rokoe.exe 35 PID 304 wrote to memory of 1852 304 rokoe.exe 35 PID 304 wrote to memory of 1852 304 rokoe.exe 35 PID 304 wrote to memory of 1852 304 rokoe.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe"C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\rokoe.exe"C:\Users\Admin\AppData\Local\Temp\rokoe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\duafh.exe"C:\Users\Admin\AppData\Local\Temp\duafh.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5fcee18b4f5a4109143fc8d5fb58a648c
SHA1c5151910f25c710befc931b38730f8ab3119067e
SHA256148df7dbcaf5f4eab988643544f498c546cbc3ab0eaf32f9897bd85c773c3634
SHA51285c86921fda408d6826d1af702cd01cc19d63a03b45b31ea40e372921adeef9281a119a8b9faa2924e4fbc6342f924e9f111be071a20fae89771e8a9e288178a
-
Filesize
512B
MD5d355512537c553941e785a9f8b6c5be9
SHA1d88fd3f1abd282ede5798a67ca21d47815e4e2de
SHA256fed84d7b95c562c53612f2a6d0137b6c2d0f00d6ea164fa59f02dd896b61b248
SHA512736e24d85287017a8984a9e631310272bad09312ddb14c3b7da7a896e8c5fb1f2a56780aaa6ee5e70770f3b744b39676c285292f4dc848684e78fd1b03081830
-
Filesize
172KB
MD531b984189052bfe39124eae24997d8e5
SHA133b2515c8243f1a42b6c2e6a02708674a810abc9
SHA2567f47278a8a2a22fad21879942ab7922d4a9ef66440ca2967b7392db19b09fcaf
SHA5121da2575e13d600ea7754e482bacac4e7725d625790f86527d7e161dd4004a78978aa224566e7573578b8c5da8b0812feafc9980916b39572d5974312ebca1f77
-
Filesize
334KB
MD52620e8a13b832a6dcca941b43ca42501
SHA1233506f2d7dd9d58b2c8f370c7a8cd5213eb6e43
SHA256cf0207da1b6c2e46e9d60af4bf4059f8d97cfd70080a613aa1b363e38a29663a
SHA51294ead77565b7fce3217ee31a73db885627d6d8a3b1f8049584ebcb08567efaab916644f5b73a68d41aeb2a542eca542604c4141c50f8d254edf60938bd885816