Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2024, 07:32

General

  • Target

    384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe

  • Size

    427KB

  • MD5

    2c5283c0e5519979932fb112a11d86e3

  • SHA1

    c512c7ca7666c6c7a20a82fa7b5b3c140587814e

  • SHA256

    384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5

  • SHA512

    0af2f0f0ccaa9029d99c6dbac951d928b68bb0c48d643d6d09d90a9e286aa4ea468c789b57d3f2bb0a9e450f0a1ef9f0bb69597a65c1f6156233b0962c2becf0

  • SSDEEP

    6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsp:YU7M5ijWh0XOW4sEfeOA

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
    "C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\AppData\Local\Temp\heriu.exe
      "C:\Users\Admin\AppData\Local\Temp\heriu.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Users\Admin\AppData\Local\Temp\xolim.exe
        "C:\Users\Admin\AppData\Local\Temp\xolim.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3020
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    eb31203f5f96923d92feaff32488c418

    SHA1

    9705f8f7486538cf9e3189cf2f247613ca1ac64a

    SHA256

    97a329565d2ba8c8f6bf8fcdcb8f8022d8f2d9677c3c2592b46df9ca6743e4cc

    SHA512

    7bdaa10c1b77004b1e4b3d3842b62c95ea362cd5434d5c522cba872ae7e90a97d8713bb4ecd78cdc3f3fa0e5d909c02a4aaa1225d47cbaa4eacf2fdd4f75c94a

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    bfd6f4e30716c4778a0faf16ca8e93fa

    SHA1

    79217af7d2100b3f120111fa0a3274ae190a9209

    SHA256

    443deebdb8b1feccdc71df21f720a918d7cbe3c319cb1a085d0d79750b590ba9

    SHA512

    eceed8428b31ed2f4bda72fb11d755166bf6b4fa1dae15bc853b70e7c632a432d8074277c55c57bb71ea13b1761b2f01a5a0d80b2b93bd8596fdcac93090acf3

  • C:\Users\Admin\AppData\Local\Temp\heriu.exe

    Filesize

    427KB

    MD5

    6fb1e18049e8fc4a955ed9fd35ee3bf5

    SHA1

    dca113318ff01d963e8a15b315d7f72549321f05

    SHA256

    e7a6683c04260aefe2ef791fa6dec778be99a44b241505837bb50206e71a760e

    SHA512

    60ecdff1b4f9ee4c998a79c7f50513b1f64ab8004b13395e5c8e8ca807b567cc04953fab368bf5f74af46f187b1b77dacee5e7105733a0d4d77b9538299034f6

  • C:\Users\Admin\AppData\Local\Temp\xolim.exe

    Filesize

    212KB

    MD5

    f43400b090d1d88563c13f4fc5b3bc0e

    SHA1

    64b245a96a94707976a2e1e7dda704adb8b6f7c3

    SHA256

    8b68a7c3bcd1f74f96fc739b9c60c333bba9657b8bf067f1a656e98929be926e

    SHA512

    414d7302a0e3d60128e4919a0f32580a99fae6f40345714a98ded5d778f0f9f016cdc637291dc083cdb64bda5f0015df7cfda38c01bca92c1850fae8d9ee4cc7

  • memory/3020-29-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-33-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-36-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-35-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-34-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-28-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-27-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-26-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/3020-32-0x0000000000AC0000-0x0000000000B54000-memory.dmp

    Filesize

    592KB

  • memory/4484-14-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/4484-0-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/4936-30-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/4936-12-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/4936-17-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB