Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
Resource
win7-20241010-en
General
-
Target
c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
-
Size
337KB
-
MD5
bb2fd47ba0745b3048eac29cb2d0e4c0
-
SHA1
6301acad5ed51e3fc37e71af6328c7d1690ce244
-
SHA256
c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17e
-
SHA512
f91810d6129f6d7adfc29b48be049673957b89a05afd494eb4a8295478f19d1fe40e91dd383746cf485371ec72493042a85e615070d28539bb7e035dd00ac965
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWa:vHW138/iXWlK885rKlGSekcj66ciu
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2516 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1940 wumux.exe 3036 exsuh.exe -
Loads dropped DLL 2 IoCs
pid Process 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 1940 wumux.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wumux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exsuh.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe 3036 exsuh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2440 wrote to memory of 1940 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 30 PID 2440 wrote to memory of 1940 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 30 PID 2440 wrote to memory of 1940 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 30 PID 2440 wrote to memory of 1940 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 30 PID 2440 wrote to memory of 2516 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 31 PID 2440 wrote to memory of 2516 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 31 PID 2440 wrote to memory of 2516 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 31 PID 2440 wrote to memory of 2516 2440 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 31 PID 1940 wrote to memory of 3036 1940 wumux.exe 34 PID 1940 wrote to memory of 3036 1940 wumux.exe 34 PID 1940 wrote to memory of 3036 1940 wumux.exe 34 PID 1940 wrote to memory of 3036 1940 wumux.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe"C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\wumux.exe"C:\Users\Admin\AppData\Local\Temp\wumux.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\exsuh.exe"C:\Users\Admin\AppData\Local\Temp\exsuh.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5dee0ff11ade44a6767cb97531821c2fe
SHA1f303b64693aeee045c07df382da5251cc4352488
SHA2561207aafa58d23e56206e87897fc849f15ed1e8aa372f265d41cc7227f6e3c32a
SHA51287ac0dbe3d1fa247b9ed7eb260abe12e4ca35ef3b3263d68f02bcee4242c80421e31eb9a955a4a31c11eeeeecdacb416ef9bb2b5259da9743ff40f6346461b52
-
Filesize
512B
MD504be83830ca0de360e5c2aefae118137
SHA1720677d76b58e4fafc6079b4bbb67fcc7637e650
SHA2560db0edab8a761602a40792babb526888ca112660fda337fee714b2ea38671f89
SHA51215dcd2b54a720e2254ea014f42fcc68f950d15a3f831b7754a8d9e05d7482b82f36683d8651e29a44e1faa901596f196cd1d503ea4381e0270e3f1b6616d13c2
-
Filesize
337KB
MD51058bae2801f5db484e67abe04d7cafe
SHA1a28c1325aa8405a772b748df2923534f7da7ff21
SHA256321bb1bca3162e31a2f415ef087943b3fc7fde5bb05dea58982579d3f59796e5
SHA5123c5b88c1df6626c5a450a888ede6f602a5eecae3e2e3ff555f69258b732082458a37ab8d47aec1beb667a3bf74564ae04a7a80696d2507ed15e2012b677f459d
-
Filesize
172KB
MD5fedd3bc47beeb2db6d35f09b9faf8403
SHA1547a14dfe7f4034e056fbd72e3baaa014703fc4e
SHA25651355b926239f3b537699b2904fc2999cfcdd79fa159626d343b629cd09836d7
SHA512006985d2c422e4482a4da6b6f3e234b5d51b6487633e76e9b835315465bc54cb7d169e52a7b9f388fb3edd9f34a55ccd24c678ec654eb3ba6594adb646a78a8d