Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06/12/2024, 06:43
General
-
Target
c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe
-
Size
868KB
-
MD5
e114ad9017c59a2e93648082880950ea
-
SHA1
009b0747726a454101fec16dbbaaa840a9e454c7
-
SHA256
c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4
-
SHA512
bc304bf8ec18f84062e31e5d1cf6108c1ae7c1fbab71ff8309d24bc0d4f0852da95a93a07f498ddfef91933f4ca1aa5c06ef1c20fb48dc0e4fd5a46e7cf1abb3
-
SSDEEP
12288:BO2QLxzVhdf+5utolnQux+GthLM2X4hVc+5Y+vWcg4RalJaCvHl0h9RMXlRkb:BaLza5uDugu/CIwLkJlH2h9a16b
Malware Config
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe"C:\Users\Admin\AppData\Local\Temp\c5ca498e477c55a92617725bfb977c377bb257896925ddcb0bb658a9b09939f4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\juedy.exe"C:\Users\Admin\AppData\Local\Temp\juedy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mogiu.exe"C:\Users\Admin\AppData\Local\Temp\mogiu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD53d19ac93e1427854771f41ffc2c87036
SHA17d3f061bb9608e83c0e3e201d7ea2b1d68e0a81b
SHA256ba69b131b863c2b2dee0f7d022020aa0715d53f69e671e2392c10c92f085623e
SHA512c3a0b301122d7d602f83d4581891c4a1cf1fac965f5fe67eff7ef7d85e64d92c75a00ee60cd7e80ced0e66e138f98a0bcc092659d5afbdfbed2bf252d1ce0102
-
Filesize
512B
MD55f49f638772933db6cf8d9db0650edfd
SHA116899b3b33ac3b64c4c6a9c9cba4439cd903d58e
SHA256641eb244e006f327a36daed4cb8ec358dd4abe027894f26dbbe28296ef493960
SHA512fdaa73cebd0f6283ffb6341b8a03e39614755d6f96440fb32e14c6e13c6c75503639f62d9fa3422171266b73a2a74cdc21e3f0b3475a593ef01149d0b0b03439
-
Filesize
868KB
MD535775e4d5b16c06e50b533365dd19187
SHA174a56271b968d7872c668795cfe60ac978f69899
SHA256c3d156152a6d751596cb32c4dd6a437146d644d969ae0c032338ce8e6e9a8386
SHA512c0c307e09a2c78a859eade2127f1d1fde2a4870a7173b795097cf0dabcb5643f353d9befe0a69d27d152215a2c7d8986bf3d35c1a06c967737c4b954d9d4b1ac
-
Filesize
294KB
MD5b845a3592fbb22d696a44080b2f7973d
SHA1462a097b7ceb5b91ad0c665d42a4bb8ff42c7de5
SHA256ade5863aa07f0460bdee4ea79491060ea46f45bce0b25ec3a4e299c67307417d
SHA512d207c45a0087a2a31761b57e83c01743023f66ea9fbe94dd6ab2edd7e59843874c8184cc741e8efd24eb8bf296e7619eaa81d11cf444eb75c39adf130d0a3e55
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
4KB