Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
Resource
win7-20240903-en
General
-
Target
b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
-
Size
334KB
-
MD5
48c754b5a0b4931fb08ad6a060c6f3c5
-
SHA1
3056f95cc54e0a8ee01bb930e279e876c4bc1c45
-
SHA256
b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691
-
SHA512
bb175497b013686162ce71fb8112f16b4ab0746357612fd0fa9406b727ff3907ef7ec96459e3e05163e380cb84bd6a737667299c2ccea65df5579df9071d6b94
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9U:vHW138/iXWlK885rKlGSekcj66ciIU
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation xebuj.exe -
Executes dropped EXE 2 IoCs
pid Process 3928 xebuj.exe 2988 opbio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xebuj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe 2988 opbio.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3928 3512 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 83 PID 3512 wrote to memory of 3928 3512 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 83 PID 3512 wrote to memory of 3928 3512 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 83 PID 3512 wrote to memory of 3188 3512 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 84 PID 3512 wrote to memory of 3188 3512 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 84 PID 3512 wrote to memory of 3188 3512 b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe 84 PID 3928 wrote to memory of 2988 3928 xebuj.exe 102 PID 3928 wrote to memory of 2988 3928 xebuj.exe 102 PID 3928 wrote to memory of 2988 3928 xebuj.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe"C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\xebuj.exe"C:\Users\Admin\AppData\Local\Temp\xebuj.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\opbio.exe"C:\Users\Admin\AppData\Local\Temp\opbio.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5fcee18b4f5a4109143fc8d5fb58a648c
SHA1c5151910f25c710befc931b38730f8ab3119067e
SHA256148df7dbcaf5f4eab988643544f498c546cbc3ab0eaf32f9897bd85c773c3634
SHA51285c86921fda408d6826d1af702cd01cc19d63a03b45b31ea40e372921adeef9281a119a8b9faa2924e4fbc6342f924e9f111be071a20fae89771e8a9e288178a
-
Filesize
512B
MD5feb3a5c4d484c079efe42353a87bf640
SHA183e7bf9790c6537817953d337d5bbb59c317c119
SHA2567fde0709ef871feca6f64f664c0af19ebf120332e317babd4eb9df693e7ddd4f
SHA51213e2015da4ec21d02a143589a9ad0625f2e583a02492bbe48014e1f8070862f2de4730f22d780648dc106ed7151f43cfd4050dbaa97824017b7cf5147806897f
-
Filesize
172KB
MD5cc5af958b77015ba965eb773096c7c80
SHA155fb382ee2e48bc71d399b057cd3037c16f2437b
SHA2568fd9fef02c70d5657ee9641dc2e51fec1a13c78c900908317927f3d6e35a5cc4
SHA512b464e8aaa325d1bbc79fbfe9f37955372b2b6418d639bdcf161d6046882bd785d96456366037405ac2fea2a2ed6ae08a8c3d96b17b03797e88d854c95912d236
-
Filesize
334KB
MD5c500880bda6bccb69f30ad827253e5a5
SHA1e5388cfee0c53f160e0055835142e4cbd414c4c8
SHA2560c2c536cee64ae2f1366d5010b51ead68d051966d1638ccadde9a701efde68e4
SHA512681399ed229c109ecf5d27db613ca44fafca35f8cdd15e60b6e8a5cacf74aa60ee6072eaa41e77518e2b3d262de1fd5a508e8a911ac58cbf8762214b425e92d6