Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

962f0b0893...58.exe

windows7-x64

10

962f0b0893...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    962f0b089380f0c2f49d7ebfbb2ac857766698c0fca0d4bd9919572dc9b51c58.exe

  • Size

    94KB

  • MD5

    ac33f7fadbdc4830ac9aa3572e69cfbe

  • SHA1

    4e024b5771443c3636d26d72fc2cbec12c2c9aac

  • SHA256

    962f0b089380f0c2f49d7ebfbb2ac857766698c0fca0d4bd9919572dc9b51c58

  • SHA512

    a521074c5bdd8e2302f3fc8019e4fc8a27f208fe6e9148961855f1d30dd27a6fc52dcf8d835e5684b4a9cea2c6ce20a46bda2229a8dcb987566b99e7f28275d9

  • SSDEEP

    768:tp0ti4HnnhtwYbJy6rioyelmd1TzulQEDDPOwc5n5uNCT/jhhLBxQIwqepJZU9mk:tWzhtJbUgHoADDIx1hLfuJrk

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\962f0b089380f0c2f49d7ebfbb2ac857766698c0fca0d4bd9919572dc9b51c58.exe
    "C:\Users\Admin\AppData\Local\Temp\962f0b089380f0c2f49d7ebfbb2ac857766698c0fca0d4bd9919572dc9b51c58.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    16c2bcf1dae729c5cb36a1875efe354c

    SHA1

    775fbf4b6a2e5bc033b86cfc0893250b5d387a45

    SHA256

    796a881d71234f7fcd9f5220c6e5674e231610bbf37626d9e5b79dc3268b7bb4

    SHA512

    d8bd6cb6cb6ccd3c2cc40edde9cd3e8c09d1ae55c21ac1896325c324c08507e68c16d3864923806d29db79c57b958dac68e43bdcf809c0a2c8b5b0a7b8557177

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\huter.exe
    Filesize

    94KB

    MD5

    3a6d014c602ffacb08f6fd9a051fd641

    SHA1

    5a2e524dec4a04ea56f08990a658496c62770b77

    SHA256

    9450c09d24dae875b8416455a1c91ca4509fbc8d3de221683be82c6462d57b13

    SHA512

    cd27afadce60c0bed0f128e3a8a5ce822f7247d6391261fc9dfc12ef5eeb5d80393f3d457f2c5ec6e118b1f7b29acf254f90ef03a0192001f26ce4ed16b15fd7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
    Filesize

    338B

    MD5

    a6b98b6a2dcdd0d3f2c03a1ae898bb55

    SHA1

    22882879860888141298817888fbabb56fe7bc92

    SHA256

    62e094d7cc46f096c681af535bbc8d73e669cc95fcfe4a79800a152891fe8d6f

    SHA512

    98c58dfcd1e5e0fea28719aa350355fdaec56e24d1da5560783c7b1a604b375f7ae945255671ed64bfff4fe903261e731923be09e3e3c70b71cbe63430fc329a

    Download Submit

  • memory/2764-0-0x00000000000D0000-0x0000000000100000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2764-15-0x00000000000D0000-0x0000000000100000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4100-9-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4100-18-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4100-20-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4100-26-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

    Filesize

    192KB

    Download