Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 10:08
Static task
static1
Behavioral task
behavioral1
Sample
d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
Resource
win7-20240903-en
General
-
Target
d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
-
Size
335KB
-
MD5
80ae7de058edde7bbdc65889eccc79c0
-
SHA1
e6ad995afef94c2b82353fe091ba54dc610d1fb9
-
SHA256
d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad
-
SHA512
93662b5077180fa1bd52a643a8c209d73bdf7f6324eaf0323c1c4d08058c89124837ad0ebd23ba26797f6a76cf9a7d30887792fc4233ec4be6ce6b585f2d041d
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrY:vHW138/iXWlK885rKlGSekcj66ciS
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation tonug.exe -
Executes dropped EXE 2 IoCs
pid Process 3276 tonug.exe 4660 cusak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tonug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cusak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe 4660 cusak.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2720 wrote to memory of 3276 2720 d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe 83 PID 2720 wrote to memory of 3276 2720 d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe 83 PID 2720 wrote to memory of 3276 2720 d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe 83 PID 2720 wrote to memory of 2144 2720 d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe 84 PID 2720 wrote to memory of 2144 2720 d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe 84 PID 2720 wrote to memory of 2144 2720 d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe 84 PID 3276 wrote to memory of 4660 3276 tonug.exe 104 PID 3276 wrote to memory of 4660 3276 tonug.exe 104 PID 3276 wrote to memory of 4660 3276 tonug.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe"C:\Users\Admin\AppData\Local\Temp\d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\tonug.exe"C:\Users\Admin\AppData\Local\Temp\tonug.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\cusak.exe"C:\Users\Admin\AppData\Local\Temp\cusak.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5cc7359730ecf5305850fbf9a551cd13e
SHA13bfc072700ef72e05f823f9ed435eda37e92e381
SHA256690fc72c85d81367c9b6232b90a5d5646b8b9edb01f2c39470a9a69a468e9573
SHA51285ad19d1f2609b511fd2c996330c77b5a6b38f35921aa2591aee71c5aff96564da60359d05a19112fa82e1585d60bb3a72af61660653ec332a17b44a1634b132
-
Filesize
172KB
MD5e2bfaa9c72e848c7adb64c0b7a7c2e1e
SHA128e5d16d225b8b5324051c9f5c1f1b910dcbcb73
SHA256acce771637ee516cb68572ee4ebefa9cd2027e32c1352f42afe7f6b036d0dcee
SHA512e93b12969c2a1747da7f3f6c206425fb39c5b1c6413d217cb7be20360223bdec759a05e7380e85fe01adba610ac9db20fc749f2fcc6545f059f829385437bbea
-
Filesize
512B
MD51e855700e736402c7efa58a0e1b640c3
SHA13b636f3bfb860e340f76d1b3ba6d3aeff480a4aa
SHA25679425726d9263a7ffa04073beb74b0ba3e05396115a445d15406272142afc6da
SHA512b6b86c39c0b61ad131419bd5a8b6202cd0e180fd1adeaa7e02ee179f963e05fd6190a5b04a07d7b9857c1a5a6705733d3e2498d5658725d02fe3c2c5b475ac8d
-
Filesize
335KB
MD540a452ab1673dfe87b77a7765f41daa4
SHA10773c6f9e255a064293b6bbb1e06b70c0c26380f
SHA256d77c2e9f09eb23f9c523349f917fbb5de455c24443fb076162ccfeb6be50c282
SHA512d9f42d5a95ff030626785e8c92aea7baf02f1226c2d5b55e30932d7c96870d9d156a9164875b22ab7bf6fb1889cb95dd86eecab2678b9f5e00991bf27e090ee2