Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 07:32

General

  • Target

    4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe

  • Size

    335KB

  • MD5

    6b6d7280b40ecf8da84985d92247e200

  • SHA1

    1ef07cafa873cdb3e748558ea6a92ff890757612

  • SHA256

    4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4

  • SHA512

    736c7e889bd4a8d957a25c6491532c8420edf0ff6f1f28e573cac3aa17cf11999caa793648d03e4c071f6a8fc63676067f5c67da89ce4604c1e9fc14ea43a3b9

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVV0:vHW138/iXWlK885rKlGSekcj66ciEV0

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
    "C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\biynm.exe
      "C:\Users\Admin\AppData\Local\Temp\biynm.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Users\Admin\AppData\Local\Temp\odjet.exe
        "C:\Users\Admin\AppData\Local\Temp\odjet.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1276
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    22222a2451e6d34a39b22f51cd34e504

    SHA1

    84c6c07bb4cea25b2dbe1c2e7d9cc7c67307e028

    SHA256

    6d2db47ebe8a8e93fbd985a7111986ff83d9a7e900c738840f9d4955be2066c2

    SHA512

    718ed487f7c7e54a3fccce5a523c11aeb4fb631b03f22bdc477a91a32238d936dd500df477562ab882e2cedee4c49a822a9593126178628c7d14d4b8c28c8478

  • C:\Users\Admin\AppData\Local\Temp\biynm.exe

    Filesize

    335KB

    MD5

    2401f64f41965e2695e1d15419388350

    SHA1

    cd89ef2a8ea99ded4b76c0fddc9d87d1ff1c373e

    SHA256

    1767eb0284c5ad34f469bc5e11ac70a9ad3115a3c1d550e0fdda06712c39e13a

    SHA512

    6364631f5725e774d1dbc99e495c1b45ac1cfa2e254fe0e931f32e12b72b9c3f5fcb3c068bf30c557404e222ca0855f12e74e15d288de5b0e65b3faaa3da15da

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    dbcb1b6678e69be465456ca81726329a

    SHA1

    2c6038990534a52da28ad5c3f0a4b8fbfa21eb42

    SHA256

    5ddf6414679263ae0ab7cb6a2bb81acb0c92ba20eeeb63decb617eaddf26640b

    SHA512

    410228732427fe0b4ca4b47f559da27315a6ffe25365d2bb4eb88ba629f0708c5facfcd7302065fbe7ad98d7f44ec7442fae0d10d3b86ec2c70b60a83edbe76a

  • C:\Users\Admin\AppData\Local\Temp\odjet.exe

    Filesize

    172KB

    MD5

    0cbc11831abf839ed065c7d9cfa131c9

    SHA1

    b5f07edf1d43d539c064eb3e7eb89140094b02db

    SHA256

    23401af6952f2554fb23382b3d4fd6781de411e73335a46fb9a212b8f9b94011

    SHA512

    71dc487f0b1cfdad5c2d5c4666d85801b99a082084a10445d12b3ee01c3ad86ec7052845ff68e6b397121842da212a3e37b10e0b4a2ee8fdb75ff8a2856c553d

  • memory/1208-1-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

  • memory/1208-0-0x0000000000C30000-0x0000000000CB1000-memory.dmp

    Filesize

    516KB

  • memory/1208-17-0x0000000000C30000-0x0000000000CB1000-memory.dmp

    Filesize

    516KB

  • memory/1276-48-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/1276-46-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/1276-47-0x00000000005D0000-0x00000000005D2000-memory.dmp

    Filesize

    8KB

  • memory/1276-41-0x00000000005D0000-0x00000000005D2000-memory.dmp

    Filesize

    8KB

  • memory/1276-37-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/1276-42-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/1344-20-0x0000000000FC0000-0x0000000001041000-memory.dmp

    Filesize

    516KB

  • memory/1344-40-0x0000000000FC0000-0x0000000001041000-memory.dmp

    Filesize

    516KB

  • memory/1344-21-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

  • memory/1344-11-0x0000000000FC0000-0x0000000001041000-memory.dmp

    Filesize

    516KB

  • memory/1344-14-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB