Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2024, 02:30

General

  • Target

    c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe

  • Size

    419KB

  • MD5

    ad3c035ef68a24ff4176375bcdbdfef0

  • SHA1

    dfcf400b12143c8d1626517034261dd625c5cd53

  • SHA256

    c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365

  • SHA512

    d27ec8fc9abc4cc1f5a10e724ce1f74bbb09c5ca0c2d4b72aa0ff2e630a3f1b91db675d904bdb5e3d2118e513ee3657f588b3245da7f741020259862832d907b

  • SSDEEP

    6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsvFwy:hU7M5ijWh0XOW4sEfeOkr

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe
    "C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Users\Admin\AppData\Local\Temp\cisus.exe
      "C:\Users\Admin\AppData\Local\Temp\cisus.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Users\Admin\AppData\Local\Temp\aclol.exe
        "C:\Users\Admin\AppData\Local\Temp\aclol.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:336
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    5db75dd1cd006582f4132530f639e094

    SHA1

    e2c83e4f5fcc22ea06531df28c3a2ab3e5fd2e3f

    SHA256

    62a61899aebf7002a7b8ba56179ea67a714397d52a6138a8e73cf1f2fe0a6a51

    SHA512

    98434a96fe5eab83304b0ac3949b800500a0598e4ac4154eb76076731ecc6334e00b27273b4385252c34796ecc1f34c174baf6adb59e0352f78b56e4b099e969

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    a89ab349749048d8366159d26b37893e

    SHA1

    f4ed79b084a00331a97f5771b49155b91d9ca6ac

    SHA256

    bd2831f2c3e5a84c75a83cf82e67655a922443997dbfa912b103ac1c04fc6941

    SHA512

    2de0c080a921b794a0872421ff1051522106207ba817699d202ad23262554f90081fd05a5e31bfc17f1fd5572a692ca29b8de7648710d9a9f2e36e53664246ac

  • \Users\Admin\AppData\Local\Temp\aclol.exe

    Filesize

    212KB

    MD5

    55bdf2c712738e997825bb20b7bdee28

    SHA1

    e49793b03039f806202a7b97afcbba8fee286f9b

    SHA256

    138b013018880ee8301dbf2485066f4c58802017880b5eaa90900dd6697370a0

    SHA512

    47ffa1fc0c5ee911270f9488e855ce5465e8b2e4dce808f0b3d03a225f9e02c14b6e55ff4b35ccb807a6e943390b1b362fdbb522c5472ad549551b55973c30be

  • \Users\Admin\AppData\Local\Temp\cisus.exe

    Filesize

    419KB

    MD5

    7cbc0d127cc58d4a333a603d712323bc

    SHA1

    35b94961aa5315ae2b3e9e176a67d0731f3d05ba

    SHA256

    dfc5c7bf41fff5994b54f45bee49ec675dd83b8bd25d870ff06483ffb238a030

    SHA512

    f5d555a61b3b1e76521933432ba0b30787c8b96a884312bd94f0bbee4a3126cf999a10537e962c2020a26b2693bcee9eed7dc67b26daaa7214a4c71a8e9478c7

  • memory/336-39-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-40-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-35-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-41-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-38-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-34-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-33-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-37-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/336-31-0x0000000000200000-0x0000000000294000-memory.dmp

    Filesize

    592KB

  • memory/1040-28-0x0000000003B90000-0x0000000003C24000-memory.dmp

    Filesize

    592KB

  • memory/1040-32-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/1040-23-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2604-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2604-20-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

  • memory/2604-6-0x0000000002980000-0x00000000029E5000-memory.dmp

    Filesize

    404KB