Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05/12/2024, 20:55
General
-
Target
9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe
-
Size
510KB
-
MD5
b639bc0a212aee9bc09ae316daff5210
-
SHA1
240e3ec4bc4255de9a585442aebf034a6df69c4c
-
SHA256
9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3
-
SHA512
36f549f9e1a4deb187cbd7e2bab8c16cb31078e2d5a503f8949abf077f4389ce96198d3fbdead95632e5c284c6269625fb2bba87bcaf96f6c1641ff61485ad07
-
SSDEEP
12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKou:3MUv2LAv9AQ1p4dKb
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe"C:\Users\Admin\AppData\Local\Temp\9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\coego.exe"C:\Users\Admin\AppData\Local\Temp\coego.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\duxeh.exe"C:\Users\Admin\AppData\Local\Temp\duxeh.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d35772d3dd604dfd49eb86ebaa6f5f1a
SHA1db915609f0889d7aba69169fb5aa71a9c3bda4b5
SHA256f64da20470ab784b9e6e9e5056337861abf5972830b06d518d9d8dc2befe508d
SHA5128c3c6386823a5479fbde39361856153dd2e4baadfc87e95174fdf6d78cf742da7d41521ffcbd736b91ef3046602128900f528dc3bcc86007b6dd6d3ce90aa871
-
Filesize
510KB
MD5e8622865e28a0ac91bc44aff1c46a5af
SHA10f22e0509ea840b8f44dc21fc824f79ce3005843
SHA256dd63db3c6363785b904658990c5677d74c12b95c9ddc1151d3d87a8d368c1f8b
SHA5122d0987ec11caf9da1c75ea6bd336c4de04d2d18d0ec5cd759acf66fc0cf1a6f0015405f38c9f2b8cd462496e07e24f4854add25172a4e7124592477f712fe5d1
-
Filesize
172KB
MD556d463198b3eb0b623932ac6a2805b93
SHA1fb3abde26747d29bd5c1fde75fa23e39e621a41c
SHA256a597d6c0dc7007264a0eb1e8c937e83e43011e0b5cf34f15acd513dca2e2325c
SHA512eafef41db72bcb7afd1e60c346701383b61c59c72b81d1aca572bc58ed0d1e6ea1d308879cadda5d08b4ed9663eefcd42b61687ec147b0ab12909e87b6cd2c40
-
Filesize
512B
MD5a24e3008957da68734e391ab08b8baf0
SHA1ff79f4e384e9cbcfb4029723b3269ad803b7e3fe
SHA256323d8c905b3a3675a69f4ef3fec0f1ec052205a82770cdea59b6639510526984
SHA5120808033542a30a73abd6a0614db26225746aa6725f603f9ffeff3ce0617be9fe868ac699c32c6467f407a7d3fdb3d742981ebcd747b4368256af4f29cbb7b995
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB