Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 14:11

General

  • Target

    b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe

  • Size

    334KB

  • MD5

    48c754b5a0b4931fb08ad6a060c6f3c5

  • SHA1

    3056f95cc54e0a8ee01bb930e279e876c4bc1c45

  • SHA256

    b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691

  • SHA512

    bb175497b013686162ce71fb8112f16b4ab0746357612fd0fa9406b727ff3907ef7ec96459e3e05163e380cb84bd6a737667299c2ccea65df5579df9071d6b94

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9U:vHW138/iXWlK885rKlGSekcj66ciIU

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
    "C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Local\Temp\rokoe.exe
      "C:\Users\Admin\AppData\Local\Temp\rokoe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Users\Admin\AppData\Local\Temp\duafh.exe
        "C:\Users\Admin\AppData\Local\Temp\duafh.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1852
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    fcee18b4f5a4109143fc8d5fb58a648c

    SHA1

    c5151910f25c710befc931b38730f8ab3119067e

    SHA256

    148df7dbcaf5f4eab988643544f498c546cbc3ab0eaf32f9897bd85c773c3634

    SHA512

    85c86921fda408d6826d1af702cd01cc19d63a03b45b31ea40e372921adeef9281a119a8b9faa2924e4fbc6342f924e9f111be071a20fae89771e8a9e288178a

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    d355512537c553941e785a9f8b6c5be9

    SHA1

    d88fd3f1abd282ede5798a67ca21d47815e4e2de

    SHA256

    fed84d7b95c562c53612f2a6d0137b6c2d0f00d6ea164fa59f02dd896b61b248

    SHA512

    736e24d85287017a8984a9e631310272bad09312ddb14c3b7da7a896e8c5fb1f2a56780aaa6ee5e70770f3b744b39676c285292f4dc848684e78fd1b03081830

  • \Users\Admin\AppData\Local\Temp\duafh.exe

    Filesize

    172KB

    MD5

    31b984189052bfe39124eae24997d8e5

    SHA1

    33b2515c8243f1a42b6c2e6a02708674a810abc9

    SHA256

    7f47278a8a2a22fad21879942ab7922d4a9ef66440ca2967b7392db19b09fcaf

    SHA512

    1da2575e13d600ea7754e482bacac4e7725d625790f86527d7e161dd4004a78978aa224566e7573578b8c5da8b0812feafc9980916b39572d5974312ebca1f77

  • \Users\Admin\AppData\Local\Temp\rokoe.exe

    Filesize

    334KB

    MD5

    2620e8a13b832a6dcca941b43ca42501

    SHA1

    233506f2d7dd9d58b2c8f370c7a8cd5213eb6e43

    SHA256

    cf0207da1b6c2e46e9d60af4bf4059f8d97cfd70080a613aa1b363e38a29663a

    SHA512

    94ead77565b7fce3217ee31a73db885627d6d8a3b1f8049584ebcb08567efaab916644f5b73a68d41aeb2a542eca542604c4141c50f8d254edf60938bd885816

  • memory/304-22-0x00000000002C0000-0x0000000000341000-memory.dmp

    Filesize

    516KB

  • memory/304-18-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/304-17-0x00000000002C0000-0x0000000000341000-memory.dmp

    Filesize

    516KB

  • memory/304-36-0x0000000003FB0000-0x0000000004049000-memory.dmp

    Filesize

    612KB

  • memory/304-39-0x00000000002C0000-0x0000000000341000-memory.dmp

    Filesize

    516KB

  • memory/1800-19-0x0000000000190000-0x0000000000211000-memory.dmp

    Filesize

    516KB

  • memory/1800-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/1800-0-0x0000000000190000-0x0000000000211000-memory.dmp

    Filesize

    516KB

  • memory/1852-43-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

  • memory/1852-40-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

  • memory/1852-45-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB

  • memory/1852-46-0x0000000001150000-0x00000000011E9000-memory.dmp

    Filesize

    612KB