Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 14:27
Static task
static1
Behavioral task
behavioral1
Sample
a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
Resource
win7-20240903-en
General
-
Target
a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
-
Size
335KB
-
MD5
04d68eaf478d47657476caf43d7285c0
-
SHA1
ce15233f41f268c12fb404dee0fd43278a8ea1a7
-
SHA256
a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5
-
SHA512
1ad03af4af901ca022b64a9d2e630219fc546afa72ee3ab978413b7cdb1c0cc651074b28bac870b1ba27e3b883e3d64524e33d63727403fdaabf090d500543e5
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cir
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dahal.exe -
Executes dropped EXE 2 IoCs
pid Process 5068 dahal.exe 1132 wyizu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dahal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyizu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe 1132 wyizu.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3420 wrote to memory of 5068 3420 a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe 83 PID 3420 wrote to memory of 5068 3420 a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe 83 PID 3420 wrote to memory of 5068 3420 a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe 83 PID 3420 wrote to memory of 4284 3420 a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe 84 PID 3420 wrote to memory of 4284 3420 a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe 84 PID 3420 wrote to memory of 4284 3420 a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe 84 PID 5068 wrote to memory of 1132 5068 dahal.exe 104 PID 5068 wrote to memory of 1132 5068 dahal.exe 104 PID 5068 wrote to memory of 1132 5068 dahal.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe"C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\dahal.exe"C:\Users\Admin\AppData\Local\Temp\dahal.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\wyizu.exe"C:\Users\Admin\AppData\Local\Temp\wyizu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5c172a424cc00b26d4d85581ae514e7d8
SHA1a7ecdb5ec063dac988c82b20d1f0a86b92614006
SHA2565b527a29c060d697eec47886c68afd011769d9228bdd88908fe3830785e07fe3
SHA512d84c0f57c681eea26dee174c9a60bbe3f7a1442ac30ce38b05e57fc9e4b94c44f208eaa2112f913be04cce8459aeb959a4990b3c002ad09803e8fb80fab5b12b
-
Filesize
335KB
MD5151395892f7efc5265fc4ffec79a46c4
SHA1f13296fa493bcbc67ac308645f6972383f4806f2
SHA256ef9a469fce77af704fe9690e96cda131b8d860f03d567f6afe2c26c990659e57
SHA51248e75689e0addf71760b80782703fdf2fe886de3eb4db8a7a20ff6696995d9558d982f4669d32e9ab185367e55bd4b10578710f9a988c40c9621956630015c40
-
Filesize
512B
MD588641f8e713c756f3bf80fef94be37ad
SHA134e8ee51d2897cb7731c9cf7bbab0c6f32012bb8
SHA256312f585965ad09b4550e7d370cc8f4f1ef697a10ff68876ad2bfd0900a2dff3c
SHA5126da7b855c7ff5875548297854a66bb135a4cb7b822c5638ddddee628e5e74ce156ee798e6e0b17b581d09f919cd87f7479d5556e681b0374e091a5b2791a9daf
-
Filesize
172KB
MD521b8a05637dc4c1a11ef630d5650bc2f
SHA1d1c628490a8d2f3556e70364a661c01df52fbc03
SHA256d3863bae2d653ec4490a3242af887b5fdcd63a7d8847e7b79abe88eecdb6ae13
SHA512858d0229e5095b8504dea73326a42b39d7bd71402cd35065ddf2810e6277749f8ec6df0570143421230368e3136ff7dd6e017c64a88edd408ad57731faaa3b8f