Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    88s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 02:37

General

  • Target

    40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe

  • Size

    337KB

  • MD5

    53ac000b628536d3b532efbd2d8846b4

  • SHA1

    091906986ad4bad87d885985e9b94b8df39dbf1e

  • SHA256

    40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c

  • SHA512

    56f18871a2d08423b1ab48f062327633c04a0bb20489adc38efda0cfe2d10d551b5fb127968534eb17d3e02c51b155afa7a77108832b3a54ad2da3b6b56cd281

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYl:vHW138/iXWlK885rKlGSekcj66ciU

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe
    "C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\yvnob.exe
      "C:\Users\Admin\AppData\Local\Temp\yvnob.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Users\Admin\AppData\Local\Temp\hoinr.exe
        "C:\Users\Admin\AppData\Local\Temp\hoinr.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    6159adc1cb3082c6fba29dfa4259cbff

    SHA1

    5433d9d06057c56c48705e845b2752d83e010512

    SHA256

    5797579a6cf20ab1438fa6b8b6c63962815956eb46f0187a63e53254a9d92649

    SHA512

    8784d5bca01318502b0044e38acb2b6352055b620f407127e7d27c897d11513fc74bf6a423b1d4c86fdbae7dd905ba0d7821c7660df1f7de21c9b87f14c2705e

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    b175bbb7dc2eb50f84a070e8bcc6927f

    SHA1

    00c477d5e54261ed85645d0e3db95df75ec30608

    SHA256

    6c7ea45bad97bad4bff767605bbe365af052d429be02e11d549011b9f73306a8

    SHA512

    d2afa1c808fe1f2e481d8a7000d365515521a6c6fea54b17905d94951a549520f2d69e691257a919ba0560d1b3be249d295b46c6284927e77e47c3a16beb9ea7

  • \Users\Admin\AppData\Local\Temp\hoinr.exe

    Filesize

    172KB

    MD5

    4470cd2e9a7759d7e562bbde39a51d6d

    SHA1

    dc004a5aa39f2333f023d6cf6224355ae8da6a93

    SHA256

    7e7de1957f1d7fcea7edc1e28e2085a443ea5b20b6edbc8df880275785ff1648

    SHA512

    dbf816e4fa7a94a073d450adf0f73fa6e93a18703c5d7579fac080a6b77d17add342b8c779a4cf20d4e05ac5667418d9a01070a727d0e881d546466733ae52a9

  • \Users\Admin\AppData\Local\Temp\yvnob.exe

    Filesize

    337KB

    MD5

    4cc49f3084eebf53d0516fbeeb10e3c9

    SHA1

    869fe4abe608b0b1c67100d6a10bb598c10201e3

    SHA256

    b00a203ecbf370b03ee1edce9430a89cddc383bb32b0d77faf3299c1ad37dba3

    SHA512

    5b0e63182d30b60b12565630e8f6af9044338af4d698b33cea60ea23816a7b0c1e4b569dfeff526090aed518182393025eef0716532673dd88f7ff9061c35152

  • memory/1640-49-0x00000000001E0000-0x0000000000279000-memory.dmp

    Filesize

    612KB

  • memory/1640-48-0x00000000001E0000-0x0000000000279000-memory.dmp

    Filesize

    612KB

  • memory/1640-44-0x00000000001E0000-0x0000000000279000-memory.dmp

    Filesize

    612KB

  • memory/1640-43-0x00000000001E0000-0x0000000000279000-memory.dmp

    Filesize

    612KB

  • memory/2280-20-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2280-25-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2280-24-0x0000000001120000-0x00000000011A1000-memory.dmp

    Filesize

    516KB

  • memory/2280-40-0x00000000032B0000-0x0000000003349000-memory.dmp

    Filesize

    612KB

  • memory/2280-42-0x0000000001120000-0x00000000011A1000-memory.dmp

    Filesize

    516KB

  • memory/2280-19-0x0000000001120000-0x00000000011A1000-memory.dmp

    Filesize

    516KB

  • memory/2444-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2444-21-0x00000000013D0000-0x0000000001451000-memory.dmp

    Filesize

    516KB

  • memory/2444-0-0x00000000013D0000-0x0000000001451000-memory.dmp

    Filesize

    516KB

  • memory/2444-16-0x00000000010A0000-0x0000000001121000-memory.dmp

    Filesize

    516KB