Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
Resource
win7-20240903-en
General
-
Target
604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
-
Size
333KB
-
MD5
2cc1c91da4b72fd5328644f18b3514a0
-
SHA1
1a8d4ebd5eff3bfd7df53a62ee8fee648589843b
-
SHA256
604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589
-
SHA512
122440ace5368f4b9a912998a1cb62b6d0b26a487aee1f4ec89b8eeeb4d3dfa84bdf003405c926e3737e745f89d77ecb49b6ee1362861d24dde021df982083df
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ci3
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation kukoe.exe -
Executes dropped EXE 2 IoCs
pid Process 4288 kukoe.exe 4768 ashoa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ashoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kukoe.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe 4768 ashoa.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5056 wrote to memory of 4288 5056 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 83 PID 5056 wrote to memory of 4288 5056 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 83 PID 5056 wrote to memory of 4288 5056 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 83 PID 5056 wrote to memory of 3624 5056 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 84 PID 5056 wrote to memory of 3624 5056 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 84 PID 5056 wrote to memory of 3624 5056 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe 84 PID 4288 wrote to memory of 4768 4288 kukoe.exe 104 PID 4288 wrote to memory of 4768 4288 kukoe.exe 104 PID 4288 wrote to memory of 4768 4288 kukoe.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe"C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\kukoe.exe"C:\Users\Admin\AppData\Local\Temp\kukoe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\ashoa.exe"C:\Users\Admin\AppData\Local\Temp\ashoa.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ceb84504f175f405c77ff6588a2d2592
SHA17b63056cd33b6b5c40ccdfea828d20a962fc9113
SHA256a81ff24fbda9d44d5721e0cc33a6cfa85c716e4459a05f41cd6416e1ebd67f9c
SHA5129c10a0dd7c90fd78eb47a4c949dcabacdf097eabf231a65db365547456ef26d37b1be80d51b75c5f45ee56cc089d2e433d4ea6fee16c524b4202458467e36d3a
-
Filesize
172KB
MD51e411be92a6edd5a68d800b4509dc31b
SHA132a5cf33c80702cbf74ebddfeaad61b4bb39315b
SHA2566a4466aaec2679bd8514e3dd0a3a96a9c21eeb5c7f65245160583f75dd25859c
SHA512aa633d95a7a1e9564a213ed8268db3c39805cc85b11fbfa666c279cfe2f176c11ca4b7ca3514028c42a582f1126919d7e4b5fde9d8f76dfd7a712b5f1644a163
-
Filesize
512B
MD52d6150e36173de1920d2fdef419328bd
SHA1597a8ee46978e8944175bdfa848244372f0a2af2
SHA25675946467dc4a0a6b78289be3172051570791eea86a3e10e3a16fcf666e67251c
SHA5120f6cdc2c6305d33aaeb8387bc8746c2eed09728829471bb5a0727f79bfb701b0dbcdaebf15ba3d8e0785dbd0760fb2610754899ca147ca37aa5a08ae275b63fd
-
Filesize
334KB
MD50a5fbb41e243985ac3bbe0a09f8ae8fa
SHA195a25f8a2400b0e5c82a815d3cf4ab8ccbb26b4a
SHA256b4c9bd63bfb706bc373b3c5a6b92a659846cbd27403f0243fe2e4309bba84a11
SHA51266de9b5791f07a4f2b1cd0226ad283fc8ef7937561e980982172066e5ee63d31d944e702d6de9585577e35d511b237f7b53a0640b5d99c886de0055c29ab72e4