Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
Resource
win7-20240903-en
General
-
Target
4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
-
Size
335KB
-
MD5
6b6d7280b40ecf8da84985d92247e200
-
SHA1
1ef07cafa873cdb3e748558ea6a92ff890757612
-
SHA256
4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4
-
SHA512
736c7e889bd4a8d957a25c6491532c8420edf0ff6f1f28e573cac3aa17cf11999caa793648d03e4c071f6a8fc63676067f5c67da89ce4604c1e9fc14ea43a3b9
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVV0:vHW138/iXWlK885rKlGSekcj66ciEV0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation biynm.exe -
Executes dropped EXE 2 IoCs
pid Process 1344 biynm.exe 1276 odjet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odjet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biynm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe 1276 odjet.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1208 wrote to memory of 1344 1208 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe 82 PID 1208 wrote to memory of 1344 1208 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe 82 PID 1208 wrote to memory of 1344 1208 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe 82 PID 1208 wrote to memory of 1844 1208 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe 83 PID 1208 wrote to memory of 1844 1208 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe 83 PID 1208 wrote to memory of 1844 1208 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe 83 PID 1344 wrote to memory of 1276 1344 biynm.exe 94 PID 1344 wrote to memory of 1276 1344 biynm.exe 94 PID 1344 wrote to memory of 1276 1344 biynm.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe"C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\biynm.exe"C:\Users\Admin\AppData\Local\Temp\biynm.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\odjet.exe"C:\Users\Admin\AppData\Local\Temp\odjet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD522222a2451e6d34a39b22f51cd34e504
SHA184c6c07bb4cea25b2dbe1c2e7d9cc7c67307e028
SHA2566d2db47ebe8a8e93fbd985a7111986ff83d9a7e900c738840f9d4955be2066c2
SHA512718ed487f7c7e54a3fccce5a523c11aeb4fb631b03f22bdc477a91a32238d936dd500df477562ab882e2cedee4c49a822a9593126178628c7d14d4b8c28c8478
-
Filesize
335KB
MD52401f64f41965e2695e1d15419388350
SHA1cd89ef2a8ea99ded4b76c0fddc9d87d1ff1c373e
SHA2561767eb0284c5ad34f469bc5e11ac70a9ad3115a3c1d550e0fdda06712c39e13a
SHA5126364631f5725e774d1dbc99e495c1b45ac1cfa2e254fe0e931f32e12b72b9c3f5fcb3c068bf30c557404e222ca0855f12e74e15d288de5b0e65b3faaa3da15da
-
Filesize
512B
MD5dbcb1b6678e69be465456ca81726329a
SHA12c6038990534a52da28ad5c3f0a4b8fbfa21eb42
SHA2565ddf6414679263ae0ab7cb6a2bb81acb0c92ba20eeeb63decb617eaddf26640b
SHA512410228732427fe0b4ca4b47f559da27315a6ffe25365d2bb4eb88ba629f0708c5facfcd7302065fbe7ad98d7f44ec7442fae0d10d3b86ec2c70b60a83edbe76a
-
Filesize
172KB
MD50cbc11831abf839ed065c7d9cfa131c9
SHA1b5f07edf1d43d539c064eb3e7eb89140094b02db
SHA25623401af6952f2554fb23382b3d4fd6781de411e73335a46fb9a212b8f9b94011
SHA51271dc487f0b1cfdad5c2d5c4666d85801b99a082084a10445d12b3ee01c3ad86ec7052845ff68e6b397121842da212a3e37b10e0b4a2ee8fdb75ff8a2856c553d