Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
Resource
win7-20240903-en
General
-
Target
604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
-
Size
333KB
-
MD5
2cc1c91da4b72fd5328644f18b3514a0
-
SHA1
1a8d4ebd5eff3bfd7df53a62ee8fee648589843b
-
SHA256
604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589
-
SHA512
122440ace5368f4b9a912998a1cb62b6d0b26a487aee1f4ec89b8eeeb4d3dfa84bdf003405c926e3737e745f89d77ecb49b6ee1362861d24dde021df982083df
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ci3
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 1708 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2764 koguf.exe 2336 quuco.exe -
Loads dropped DLL 2 IoCs
pid Process 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 2764 koguf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language koguf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quuco.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe 2336 quuco.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2764 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 28 PID 2900 wrote to memory of 2764 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 28 PID 2900 wrote to memory of 2764 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 28 PID 2900 wrote to memory of 2764 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 28 PID 2900 wrote to memory of 1708 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 29 PID 2900 wrote to memory of 1708 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 29 PID 2900 wrote to memory of 1708 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 29 PID 2900 wrote to memory of 1708 2900 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 29 PID 2764 wrote to memory of 2336 2764 koguf.exe 33 PID 2764 wrote to memory of 2336 2764 koguf.exe 33 PID 2764 wrote to memory of 2336 2764 koguf.exe 33 PID 2764 wrote to memory of 2336 2764 koguf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe"C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\koguf.exe"C:\Users\Admin\AppData\Local\Temp\koguf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\quuco.exe"C:\Users\Admin\AppData\Local\Temp\quuco.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ceb84504f175f405c77ff6588a2d2592
SHA17b63056cd33b6b5c40ccdfea828d20a962fc9113
SHA256a81ff24fbda9d44d5721e0cc33a6cfa85c716e4459a05f41cd6416e1ebd67f9c
SHA5129c10a0dd7c90fd78eb47a4c949dcabacdf097eabf231a65db365547456ef26d37b1be80d51b75c5f45ee56cc089d2e433d4ea6fee16c524b4202458467e36d3a
-
Filesize
512B
MD54ecf93b96e0ff6758e5b495d46d4b5f3
SHA11a9f01da6d25d159182f5651cdf8be95f1c776a6
SHA256563b291969738bd971a3ddb3321b6e05e5a19c2006df44ebd527e810dadd9416
SHA512b6e16637c107c5b301c12b759026244a24ff6f7696f31aecbd7ae0618472659b6fc25d3fb8bed866b3c2ed69a4f44af0dbfd265a54104dda1993ecdd598e3b3a
-
Filesize
172KB
MD570bc01a95452c035d85765cf315b6c19
SHA189b03df5fd4e5cfaa6ad49a1d8d3f93b4f614f86
SHA2563c8ee432d1268890dd4a5f3924949ece36d9c993b927e1be08393487837817d9
SHA5123e868ff61284b3ccb7b464f6ff1dfc508706fbc18f1f297ac10ccf9c6a0f2998746611c6c82968f687a6c82449a8b3b91abbb3d218062059595b72a27fdd8e64
-
Filesize
334KB
MD51e5c1d7c2962768bdc078e73895ed6df
SHA10cee9ae0f4d94f29e011526aaeb12e9f9347faec
SHA256d369b0431aac83a28c8bcdb205e37efd4cb1cb112efd79b39812e4fb113e7355
SHA5121c6d2cb2f38c03e9499d19e06f2f035745c7c2b737bb7736efd011c5e12e3e44218a513e0123fb2571d8a00a9e1ab2a0712194e074363af4fce90176905e4a5d