Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/12/2024, 02:37
General
-
Target
40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe
-
Size
337KB
-
MD5
53ac000b628536d3b532efbd2d8846b4
-
SHA1
091906986ad4bad87d885985e9b94b8df39dbf1e
-
SHA256
40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c
-
SHA512
56f18871a2d08423b1ab48f062327633c04a0bb20489adc38efda0cfe2d10d551b5fb127968534eb17d3e02c51b155afa7a77108832b3a54ad2da3b6b56cd281
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYl:vHW138/iXWlK885rKlGSekcj66ciU
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe"C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yvnob.exe"C:\Users\Admin\AppData\Local\Temp\yvnob.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hoinr.exe"C:\Users\Admin\AppData\Local\Temp\hoinr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56159adc1cb3082c6fba29dfa4259cbff
SHA15433d9d06057c56c48705e845b2752d83e010512
SHA2565797579a6cf20ab1438fa6b8b6c63962815956eb46f0187a63e53254a9d92649
SHA5128784d5bca01318502b0044e38acb2b6352055b620f407127e7d27c897d11513fc74bf6a423b1d4c86fdbae7dd905ba0d7821c7660df1f7de21c9b87f14c2705e
-
Filesize
512B
MD5b175bbb7dc2eb50f84a070e8bcc6927f
SHA100c477d5e54261ed85645d0e3db95df75ec30608
SHA2566c7ea45bad97bad4bff767605bbe365af052d429be02e11d549011b9f73306a8
SHA512d2afa1c808fe1f2e481d8a7000d365515521a6c6fea54b17905d94951a549520f2d69e691257a919ba0560d1b3be249d295b46c6284927e77e47c3a16beb9ea7
-
Filesize
172KB
MD54470cd2e9a7759d7e562bbde39a51d6d
SHA1dc004a5aa39f2333f023d6cf6224355ae8da6a93
SHA2567e7de1957f1d7fcea7edc1e28e2085a443ea5b20b6edbc8df880275785ff1648
SHA512dbf816e4fa7a94a073d450adf0f73fa6e93a18703c5d7579fac080a6b77d17add342b8c779a4cf20d4e05ac5667418d9a01070a727d0e881d546466733ae52a9
-
Filesize
337KB
MD54cc49f3084eebf53d0516fbeeb10e3c9
SHA1869fe4abe608b0b1c67100d6a10bb598c10201e3
SHA256b00a203ecbf370b03ee1edce9430a89cddc383bb32b0d77faf3299c1ad37dba3
SHA5125b0e63182d30b60b12565630e8f6af9044338af4d698b33cea60ea23816a7b0c1e4b569dfeff526090aed518182393025eef0716532673dd88f7ff9061c35152
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB