Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
Resource
win7-20241010-en
General
-
Target
c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
-
Size
337KB
-
MD5
bb2fd47ba0745b3048eac29cb2d0e4c0
-
SHA1
6301acad5ed51e3fc37e71af6328c7d1690ce244
-
SHA256
c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17e
-
SHA512
f91810d6129f6d7adfc29b48be049673957b89a05afd494eb4a8295478f19d1fe40e91dd383746cf485371ec72493042a85e615070d28539bb7e035dd00ac965
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWa:vHW138/iXWlK885rKlGSekcj66ciu
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation huzau.exe -
Executes dropped EXE 2 IoCs
pid Process 2020 huzau.exe 4368 vycus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huzau.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vycus.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe 4368 vycus.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4060 wrote to memory of 2020 4060 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 83 PID 4060 wrote to memory of 2020 4060 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 83 PID 4060 wrote to memory of 2020 4060 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 83 PID 4060 wrote to memory of 4484 4060 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 84 PID 4060 wrote to memory of 4484 4060 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 84 PID 4060 wrote to memory of 4484 4060 c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe 84 PID 2020 wrote to memory of 4368 2020 huzau.exe 104 PID 2020 wrote to memory of 4368 2020 huzau.exe 104 PID 2020 wrote to memory of 4368 2020 huzau.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe"C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\huzau.exe"C:\Users\Admin\AppData\Local\Temp\huzau.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\vycus.exe"C:\Users\Admin\AppData\Local\Temp\vycus.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5dee0ff11ade44a6767cb97531821c2fe
SHA1f303b64693aeee045c07df382da5251cc4352488
SHA2561207aafa58d23e56206e87897fc849f15ed1e8aa372f265d41cc7227f6e3c32a
SHA51287ac0dbe3d1fa247b9ed7eb260abe12e4ca35ef3b3263d68f02bcee4242c80421e31eb9a955a4a31c11eeeeecdacb416ef9bb2b5259da9743ff40f6346461b52
-
Filesize
512B
MD5d943e8626eb5b94462f0fe02211b1550
SHA1e69cb7e42e17e3c457b9ca919d42c9ef2c830603
SHA256640cf66d2b85776ba7c75bb2a6d862382c6f1c090f0b12d1d5bf01a3947f3dfd
SHA512f807c9459ac538c48bd3617171bb7662d93d5a6c92d5de5ea85442f0b67060055f70ebdb849375cf5c835c5f15a1556a3735e6f28076b39aee56afe0e23a5c59
-
Filesize
337KB
MD573d97486c35ebb41ec71b80a659578d1
SHA1c5f71632fdb3f8ec4b3a939c70be21d4da4b6c1f
SHA25644e5a9ffdf0511308c63718430998b61059fae0613e79a58b34a94ff1b8efe41
SHA512bcaa80c95e1d073b7390a1708b7d3558ff3da5fb21e858ed8f54e1dbf549c71e61a9f451d83301e6fd15072de2dda31acef6843e514285c3af2ef24f7bb4cabe
-
Filesize
172KB
MD5ccc863312ab8b0a9575b90f886e37fe5
SHA19d79acc76776a9607a80154cf9b71619cc1620bb
SHA25620b31af79144fe46a327c077bf6c48408f52b1d9dba8c8b39e557713361affe6
SHA5120f10a9820a57dfae0a708dded76412a28e4de3a938d3905a4757469182c7b24dac626c98011229cad947f72b7ecb4c21152dc769a22af630bdeb4429d4063658