Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2024, 18:51

General

  • Target

    511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe

  • Size

    508KB

  • MD5

    eb48477271572c6589faed3de0a22420

  • SHA1

    ad4fe8092ab79c942e4f55c82dc160bb95885258

  • SHA256

    511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9ed

  • SHA512

    74f037cb5f2174f478adcdde225b1f9fa66d2477ef99c79cee66bbb3abcbcff5be80b4f38e7f9c0c881978da74bf1814331494636319b31cdb5f07e9f8f1661f

  • SSDEEP

    12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKop:3MUv2LAv9AQ1p4dKY

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe
    "C:\Users\Admin\AppData\Local\Temp\511e7048c26382693bc5949169e611c67e51687088fcd383453ca5586dc9f9edN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\zyzad.exe
      "C:\Users\Admin\AppData\Local\Temp\zyzad.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Users\Admin\AppData\Local\Temp\raogo.exe
        "C:\Users\Admin\AppData\Local\Temp\raogo.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    47bf8eb2e74fc36b06ac669ef243a886

    SHA1

    852f333eab64749106ffcecb52d764ddccf455c1

    SHA256

    190af1c1580486206366aa42f93623b91e71b5b21a48dffb88fabbe9b3e9e270

    SHA512

    73c096e9c503837b3c09f26cd0abf7ef14aa276a758684a8df71cfac4739a28233d5c62577fe10ea839eab1d712f4c84a7ecbadbb74d0f8dfc7de3d857097e8e

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    2599eb761711c080d16d8e25b10999a2

    SHA1

    4635638d2b69ac5f1bf25ac0057150f0780fc42d

    SHA256

    75739b47825d7daeed6139872e8577f803521583a334b677dd51d5b4af1e8402

    SHA512

    75c0c08214c3d28a23628c54e85cab934d0970bd74e96a195f8d85fd340de0ba8a9e4701718610fd8ee4422eca7d9bafb8ae60beb86cc773f9e00cee4786758a

  • C:\Users\Admin\AppData\Local\Temp\raogo.exe

    Filesize

    172KB

    MD5

    b0775b1001a9a9acd7107166a482c7aa

    SHA1

    493011b209a1b7d91fc5a6e434790865d913da87

    SHA256

    038c1a086dbe6520a496233422f9b95878ddbab9535b30dc60c55efd5ca9db7d

    SHA512

    48f66bf045ff17211fffca9e5ac7c48e67f6ce30dc64b7b1a691594600e91c88ca063fa8341a084bee029cb01510611549e1656c8fa72d631be275fc87d34de6

  • C:\Users\Admin\AppData\Local\Temp\zyzad.exe

    Filesize

    508KB

    MD5

    583107c34c952675d660c3e8ea9c8d29

    SHA1

    9fdea1e90be8b9dc7a9b7e95d13deca886866d1b

    SHA256

    05ba81cfc659d29969f899227776b34ec642d916efb84213b7a27c9255f33389

    SHA512

    566f5349193f3f3611f60f59c4f8edacd2e261747192e1578a58aeec93596565f1dace71006db481349440d5191a9a1a2d32e77f882de68fed671ec82ce34d7c

  • memory/468-29-0x0000000000E60000-0x0000000000EF9000-memory.dmp

    Filesize

    612KB

  • memory/468-35-0x0000000000E60000-0x0000000000EF9000-memory.dmp

    Filesize

    612KB

  • memory/468-33-0x0000000000E60000-0x0000000000EF9000-memory.dmp

    Filesize

    612KB

  • memory/468-34-0x0000000000E20000-0x0000000000E22000-memory.dmp

    Filesize

    8KB

  • memory/468-27-0x0000000000E20000-0x0000000000E22000-memory.dmp

    Filesize

    8KB

  • memory/468-26-0x0000000000E60000-0x0000000000EF9000-memory.dmp

    Filesize

    612KB

  • memory/1212-14-0x0000000000190000-0x0000000000211000-memory.dmp

    Filesize

    516KB

  • memory/1212-0-0x0000000000190000-0x0000000000211000-memory.dmp

    Filesize

    516KB

  • memory/2964-28-0x0000000000710000-0x0000000000791000-memory.dmp

    Filesize

    516KB

  • memory/2964-17-0x0000000000710000-0x0000000000791000-memory.dmp

    Filesize

    516KB

  • memory/2964-10-0x0000000000710000-0x0000000000791000-memory.dmp

    Filesize

    516KB