Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 14:27

General

  • Target

    a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe

  • Size

    335KB

  • MD5

    04d68eaf478d47657476caf43d7285c0

  • SHA1

    ce15233f41f268c12fb404dee0fd43278a8ea1a7

  • SHA256

    a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5

  • SHA512

    1ad03af4af901ca022b64a9d2e630219fc546afa72ee3ab978413b7cdb1c0cc651074b28bac870b1ba27e3b883e3d64524e33d63727403fdaabf090d500543e5

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cir

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe
    "C:\Users\Admin\AppData\Local\Temp\a450e5582c57fd586cff18525cb71193d17786f64ae3850df33967c805eabae5N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Users\Admin\AppData\Local\Temp\dahal.exe
      "C:\Users\Admin\AppData\Local\Temp\dahal.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Users\Admin\AppData\Local\Temp\wyizu.exe
        "C:\Users\Admin\AppData\Local\Temp\wyizu.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    c172a424cc00b26d4d85581ae514e7d8

    SHA1

    a7ecdb5ec063dac988c82b20d1f0a86b92614006

    SHA256

    5b527a29c060d697eec47886c68afd011769d9228bdd88908fe3830785e07fe3

    SHA512

    d84c0f57c681eea26dee174c9a60bbe3f7a1442ac30ce38b05e57fc9e4b94c44f208eaa2112f913be04cce8459aeb959a4990b3c002ad09803e8fb80fab5b12b

  • C:\Users\Admin\AppData\Local\Temp\dahal.exe

    Filesize

    335KB

    MD5

    151395892f7efc5265fc4ffec79a46c4

    SHA1

    f13296fa493bcbc67ac308645f6972383f4806f2

    SHA256

    ef9a469fce77af704fe9690e96cda131b8d860f03d567f6afe2c26c990659e57

    SHA512

    48e75689e0addf71760b80782703fdf2fe886de3eb4db8a7a20ff6696995d9558d982f4669d32e9ab185367e55bd4b10578710f9a988c40c9621956630015c40

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    88641f8e713c756f3bf80fef94be37ad

    SHA1

    34e8ee51d2897cb7731c9cf7bbab0c6f32012bb8

    SHA256

    312f585965ad09b4550e7d370cc8f4f1ef697a10ff68876ad2bfd0900a2dff3c

    SHA512

    6da7b855c7ff5875548297854a66bb135a4cb7b822c5638ddddee628e5e74ce156ee798e6e0b17b581d09f919cd87f7479d5556e681b0374e091a5b2791a9daf

  • C:\Users\Admin\AppData\Local\Temp\wyizu.exe

    Filesize

    172KB

    MD5

    21b8a05637dc4c1a11ef630d5650bc2f

    SHA1

    d1c628490a8d2f3556e70364a661c01df52fbc03

    SHA256

    d3863bae2d653ec4490a3242af887b5fdcd63a7d8847e7b79abe88eecdb6ae13

    SHA512

    858d0229e5095b8504dea73326a42b39d7bd71402cd35065ddf2810e6277749f8ec6df0570143421230368e3136ff7dd6e017c64a88edd408ad57731faaa3b8f

  • memory/1132-39-0x0000000000CE0000-0x0000000000D79000-memory.dmp

    Filesize

    612KB

  • memory/1132-40-0x0000000000CD0000-0x0000000000CD2000-memory.dmp

    Filesize

    8KB

  • memory/1132-36-0x0000000000CE0000-0x0000000000D79000-memory.dmp

    Filesize

    612KB

  • memory/1132-44-0x0000000000CE0000-0x0000000000D79000-memory.dmp

    Filesize

    612KB

  • memory/1132-45-0x0000000000CE0000-0x0000000000D79000-memory.dmp

    Filesize

    612KB

  • memory/3420-16-0x0000000000B20000-0x0000000000BA1000-memory.dmp

    Filesize

    516KB

  • memory/3420-1-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

  • memory/3420-0-0x0000000000B20000-0x0000000000BA1000-memory.dmp

    Filesize

    516KB

  • memory/5068-14-0x0000000000520000-0x0000000000521000-memory.dmp

    Filesize

    4KB

  • memory/5068-13-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB

  • memory/5068-19-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB

  • memory/5068-42-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB