Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/12/2024, 02:30
Behavioral task
behavioral1
Sample
c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
Resource
win7-20241010-en
General
-
Target
c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
-
Size
419KB
-
MD5
ad3c035ef68a24ff4176375bcdbdfef0
-
SHA1
dfcf400b12143c8d1626517034261dd625c5cd53
-
SHA256
c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365
-
SHA512
d27ec8fc9abc4cc1f5a10e724ce1f74bbb09c5ca0c2d4b72aa0ff2e630a3f1b91db675d904bdb5e3d2118e513ee3657f588b3245da7f741020259862832d907b
-
SSDEEP
6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsvFwy:hU7M5ijWh0XOW4sEfeOkr
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
resource yara_rule behavioral1/files/0x0004000000004ed7-26.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 1680 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1040 cisus.exe 336 aclol.exe -
Loads dropped DLL 3 IoCs
pid Process 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 1040 cisus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aclol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cisus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe 336 aclol.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2604 wrote to memory of 1040 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 30 PID 2604 wrote to memory of 1040 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 30 PID 2604 wrote to memory of 1040 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 30 PID 2604 wrote to memory of 1040 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 30 PID 2604 wrote to memory of 1680 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 31 PID 2604 wrote to memory of 1680 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 31 PID 2604 wrote to memory of 1680 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 31 PID 2604 wrote to memory of 1680 2604 c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe 31 PID 1040 wrote to memory of 336 1040 cisus.exe 34 PID 1040 wrote to memory of 336 1040 cisus.exe 34 PID 1040 wrote to memory of 336 1040 cisus.exe 34 PID 1040 wrote to memory of 336 1040 cisus.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe"C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\cisus.exe"C:\Users\Admin\AppData\Local\Temp\cisus.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\aclol.exe"C:\Users\Admin\AppData\Local\Temp\aclol.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD55db75dd1cd006582f4132530f639e094
SHA1e2c83e4f5fcc22ea06531df28c3a2ab3e5fd2e3f
SHA25662a61899aebf7002a7b8ba56179ea67a714397d52a6138a8e73cf1f2fe0a6a51
SHA51298434a96fe5eab83304b0ac3949b800500a0598e4ac4154eb76076731ecc6334e00b27273b4385252c34796ecc1f34c174baf6adb59e0352f78b56e4b099e969
-
Filesize
512B
MD5a89ab349749048d8366159d26b37893e
SHA1f4ed79b084a00331a97f5771b49155b91d9ca6ac
SHA256bd2831f2c3e5a84c75a83cf82e67655a922443997dbfa912b103ac1c04fc6941
SHA5122de0c080a921b794a0872421ff1051522106207ba817699d202ad23262554f90081fd05a5e31bfc17f1fd5572a692ca29b8de7648710d9a9f2e36e53664246ac
-
Filesize
212KB
MD555bdf2c712738e997825bb20b7bdee28
SHA1e49793b03039f806202a7b97afcbba8fee286f9b
SHA256138b013018880ee8301dbf2485066f4c58802017880b5eaa90900dd6697370a0
SHA51247ffa1fc0c5ee911270f9488e855ce5465e8b2e4dce808f0b3d03a225f9e02c14b6e55ff4b35ccb807a6e943390b1b362fdbb522c5472ad549551b55973c30be
-
Filesize
419KB
MD57cbc0d127cc58d4a333a603d712323bc
SHA135b94961aa5315ae2b3e9e176a67d0731f3d05ba
SHA256dfc5c7bf41fff5994b54f45bee49ec675dd83b8bd25d870ff06483ffb238a030
SHA512f5d555a61b3b1e76521933432ba0b30787c8b96a884312bd94f0bbee4a3126cf999a10537e962c2020a26b2693bcee9eed7dc67b26daaa7214a4c71a8e9478c7