Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe
Resource
win7-20240903-en
General
-
Target
40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe
-
Size
337KB
-
MD5
53ac000b628536d3b532efbd2d8846b4
-
SHA1
091906986ad4bad87d885985e9b94b8df39dbf1e
-
SHA256
40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c
-
SHA512
56f18871a2d08423b1ab48f062327633c04a0bb20489adc38efda0cfe2d10d551b5fb127968534eb17d3e02c51b155afa7a77108832b3a54ad2da3b6b56cd281
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYl:vHW138/iXWlK885rKlGSekcj66ciU
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2568 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2280 yvnob.exe 1640 hoinr.exe -
Loads dropped DLL 2 IoCs
pid Process 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 2280 yvnob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yvnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hoinr.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe 1640 hoinr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2280 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 30 PID 2444 wrote to memory of 2280 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 30 PID 2444 wrote to memory of 2280 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 30 PID 2444 wrote to memory of 2280 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 30 PID 2444 wrote to memory of 2568 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 31 PID 2444 wrote to memory of 2568 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 31 PID 2444 wrote to memory of 2568 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 31 PID 2444 wrote to memory of 2568 2444 40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe 31 PID 2280 wrote to memory of 1640 2280 yvnob.exe 34 PID 2280 wrote to memory of 1640 2280 yvnob.exe 34 PID 2280 wrote to memory of 1640 2280 yvnob.exe 34 PID 2280 wrote to memory of 1640 2280 yvnob.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe"C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\yvnob.exe"C:\Users\Admin\AppData\Local\Temp\yvnob.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\hoinr.exe"C:\Users\Admin\AppData\Local\Temp\hoinr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56159adc1cb3082c6fba29dfa4259cbff
SHA15433d9d06057c56c48705e845b2752d83e010512
SHA2565797579a6cf20ab1438fa6b8b6c63962815956eb46f0187a63e53254a9d92649
SHA5128784d5bca01318502b0044e38acb2b6352055b620f407127e7d27c897d11513fc74bf6a423b1d4c86fdbae7dd905ba0d7821c7660df1f7de21c9b87f14c2705e
-
Filesize
512B
MD5b175bbb7dc2eb50f84a070e8bcc6927f
SHA100c477d5e54261ed85645d0e3db95df75ec30608
SHA2566c7ea45bad97bad4bff767605bbe365af052d429be02e11d549011b9f73306a8
SHA512d2afa1c808fe1f2e481d8a7000d365515521a6c6fea54b17905d94951a549520f2d69e691257a919ba0560d1b3be249d295b46c6284927e77e47c3a16beb9ea7
-
Filesize
172KB
MD54470cd2e9a7759d7e562bbde39a51d6d
SHA1dc004a5aa39f2333f023d6cf6224355ae8da6a93
SHA2567e7de1957f1d7fcea7edc1e28e2085a443ea5b20b6edbc8df880275785ff1648
SHA512dbf816e4fa7a94a073d450adf0f73fa6e93a18703c5d7579fac080a6b77d17add342b8c779a4cf20d4e05ac5667418d9a01070a727d0e881d546466733ae52a9
-
Filesize
337KB
MD54cc49f3084eebf53d0516fbeeb10e3c9
SHA1869fe4abe608b0b1c67100d6a10bb598c10201e3
SHA256b00a203ecbf370b03ee1edce9430a89cddc383bb32b0d77faf3299c1ad37dba3
SHA5125b0e63182d30b60b12565630e8f6af9044338af4d698b33cea60ea23816a7b0c1e4b569dfeff526090aed518182393025eef0716532673dd88f7ff9061c35152