Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 06:43
Static task
static1
Behavioral task
behavioral1
Sample
c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
Resource
win7-20240708-en
General
-
Target
c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
-
Size
868KB
-
MD5
e114ad9017c59a2e93648082880950ea
-
SHA1
009b0747726a454101fec16dbbaaa840a9e454c7
-
SHA256
c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4
-
SHA512
bc304bf8ec18f84062e31e5d1cf6108c1ae7c1fbab71ff8309d24bc0d4f0852da95a93a07f498ddfef91933f4ca1aa5c06ef1c20fb48dc0e4fd5a46e7cf1abb3
-
SSDEEP
12288:BO2QLxzVhdf+5utolnQux+GthLM2X4hVc+5Y+vWcg4RalJaCvHl0h9RMXlRkb:BaLza5uDugu/CIwLkJlH2h9a16b
Malware Config
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2460 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 544 apcul.exe 2392 mipox.exe -
Loads dropped DLL 2 IoCs
pid Process 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 544 apcul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apcul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mipox.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe 2392 mipox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe Token: SeIncBasePriorityPrivilege 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe Token: 33 544 apcul.exe Token: SeIncBasePriorityPrivilege 544 apcul.exe Token: 33 2392 mipox.exe Token: SeIncBasePriorityPrivilege 2392 mipox.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2992 wrote to memory of 544 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 30 PID 2992 wrote to memory of 544 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 30 PID 2992 wrote to memory of 544 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 30 PID 2992 wrote to memory of 544 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 30 PID 2992 wrote to memory of 2460 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 31 PID 2992 wrote to memory of 2460 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 31 PID 2992 wrote to memory of 2460 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 31 PID 2992 wrote to memory of 2460 2992 c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe 31 PID 544 wrote to memory of 2392 544 apcul.exe 34 PID 544 wrote to memory of 2392 544 apcul.exe 34 PID 544 wrote to memory of 2392 544 apcul.exe 34 PID 544 wrote to memory of 2392 544 apcul.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe"C:\Users\Admin\AppData\Local\Temp\c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\apcul.exe"C:\Users\Admin\AppData\Local\Temp\apcul.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\mipox.exe"C:\Users\Admin\AppData\Local\Temp\mipox.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD53d19ac93e1427854771f41ffc2c87036
SHA17d3f061bb9608e83c0e3e201d7ea2b1d68e0a81b
SHA256ba69b131b863c2b2dee0f7d022020aa0715d53f69e671e2392c10c92f085623e
SHA512c3a0b301122d7d602f83d4581891c4a1cf1fac965f5fe67eff7ef7d85e64d92c75a00ee60cd7e80ced0e66e138f98a0bcc092659d5afbdfbed2bf252d1ce0102
-
Filesize
512B
MD5ecaedc811c74811a7d94eb21bcd55271
SHA151eb1fe62b38b4d921d3bca10e9510075b6af84b
SHA256cd877bca475e76b68615b2090a61299bfe5e14b20a16ee878cb850cd615d2e3e
SHA512378c86fc4e42438cfaa36d740ae98eaa775ab6807907e56800759b924f3e2459617c979ac5cae887b254faba2f54c39b138b9fbad83582a3cc1599046ff26e66
-
Filesize
294KB
MD5bc41a7f6c3cf326c5bba41439352f083
SHA13d07620f959ef1c7898a5dae72c0d1faed17752c
SHA256ed7f37a375c617d19e7d06086a0f7e4c590bcde500cfb885dfb24eb4e5c53346
SHA512b3dfeb6848128f42a6154c9ae500a774d62994905d3a1fe4b4efabd49ff03c59ca4f018c7ff985099b4172edfb8bec4b5ebe2c81df4bfa44970430a189fe3cda
-
Filesize
868KB
MD5c6c9b546933af7dc2013038347635d7d
SHA11c62a44e8294b39e9d2e2d1dd3f3d33ada7497a9
SHA256d384f27b4431ba8fd1cecaa982a03c6db662abb7f38997bd2f7938b1b3cf0b9f
SHA51255ad20f171f4e9a9d34c8cb3c8ad2ec5b41ab72f508fef46373c0f92a9f4c6ed29981cc693e10297e4b5cf4fc1e0b14e999aef666548905b6514a58b1e69cdfb