Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 07:32
Behavioral task
behavioral1
Sample
384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Resource
win7-20240903-en
General
-
Target
384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
-
Size
427KB
-
MD5
2c5283c0e5519979932fb112a11d86e3
-
SHA1
c512c7ca7666c6c7a20a82fa7b5b3c140587814e
-
SHA256
384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5
-
SHA512
0af2f0f0ccaa9029d99c6dbac951d928b68bb0c48d643d6d09d90a9e286aa4ea468c789b57d3f2bb0a9e450f0a1ef9f0bb69597a65c1f6156233b0962c2becf0
-
SSDEEP
6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsp:YU7M5ijWh0XOW4sEfeOA
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas family
-
resource yara_rule behavioral2/files/0x0003000000000705-22.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation heriu.exe -
Executes dropped EXE 2 IoCs
pid Process 4936 heriu.exe 3020 xolim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language heriu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xolim.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe 3020 xolim.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4484 wrote to memory of 4936 4484 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe 82 PID 4484 wrote to memory of 4936 4484 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe 82 PID 4484 wrote to memory of 4936 4484 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe 82 PID 4484 wrote to memory of 4916 4484 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe 83 PID 4484 wrote to memory of 4916 4484 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe 83 PID 4484 wrote to memory of 4916 4484 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe 83 PID 4936 wrote to memory of 3020 4936 heriu.exe 94 PID 4936 wrote to memory of 3020 4936 heriu.exe 94 PID 4936 wrote to memory of 3020 4936 heriu.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe"C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\heriu.exe"C:\Users\Admin\AppData\Local\Temp\heriu.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\xolim.exe"C:\Users\Admin\AppData\Local\Temp\xolim.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5eb31203f5f96923d92feaff32488c418
SHA19705f8f7486538cf9e3189cf2f247613ca1ac64a
SHA25697a329565d2ba8c8f6bf8fcdcb8f8022d8f2d9677c3c2592b46df9ca6743e4cc
SHA5127bdaa10c1b77004b1e4b3d3842b62c95ea362cd5434d5c522cba872ae7e90a97d8713bb4ecd78cdc3f3fa0e5d909c02a4aaa1225d47cbaa4eacf2fdd4f75c94a
-
Filesize
512B
MD5bfd6f4e30716c4778a0faf16ca8e93fa
SHA179217af7d2100b3f120111fa0a3274ae190a9209
SHA256443deebdb8b1feccdc71df21f720a918d7cbe3c319cb1a085d0d79750b590ba9
SHA512eceed8428b31ed2f4bda72fb11d755166bf6b4fa1dae15bc853b70e7c632a432d8074277c55c57bb71ea13b1761b2f01a5a0d80b2b93bd8596fdcac93090acf3
-
Filesize
427KB
MD56fb1e18049e8fc4a955ed9fd35ee3bf5
SHA1dca113318ff01d963e8a15b315d7f72549321f05
SHA256e7a6683c04260aefe2ef791fa6dec778be99a44b241505837bb50206e71a760e
SHA51260ecdff1b4f9ee4c998a79c7f50513b1f64ab8004b13395e5c8e8ca807b567cc04953fab368bf5f74af46f187b1b77dacee5e7105733a0d4d77b9538299034f6
-
Filesize
212KB
MD5f43400b090d1d88563c13f4fc5b3bc0e
SHA164b245a96a94707976a2e1e7dda704adb8b6f7c3
SHA2568b68a7c3bcd1f74f96fc739b9c60c333bba9657b8bf067f1a656e98929be926e
SHA512414d7302a0e3d60128e4919a0f32580a99fae6f40345714a98ded5d778f0f9f016cdc637291dc083cdb64bda5f0015df7cfda38c01bca92c1850fae8d9ee4cc7