Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
Resource
win7-20240903-en
General
-
Target
084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
-
Size
336KB
-
MD5
1b86aa4c7c6b949ca2bb3f9dcb7da180
-
SHA1
03f2fb8c4293107e31ea4bd79caa450f2481bc5b
-
SHA256
084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963db
-
SHA512
3f4ff90189221e07ca303fab43df3d9056f7fdce115af757c268450d904968537abd370e4000261ec5b82394d563bfe6c27555386b75987d4ec1a0b396a556c3
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcV8:vHW138/iXWlK885rKlGSekcj66cil
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2332 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2092 ysxow.exe 1560 hylon.exe -
Loads dropped DLL 2 IoCs
pid Process 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 2092 ysxow.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysxow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hylon.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe 1560 hylon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2092 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 30 PID 2288 wrote to memory of 2092 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 30 PID 2288 wrote to memory of 2092 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 30 PID 2288 wrote to memory of 2092 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 30 PID 2288 wrote to memory of 2332 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 31 PID 2288 wrote to memory of 2332 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 31 PID 2288 wrote to memory of 2332 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 31 PID 2288 wrote to memory of 2332 2288 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe 31 PID 2092 wrote to memory of 1560 2092 ysxow.exe 34 PID 2092 wrote to memory of 1560 2092 ysxow.exe 34 PID 2092 wrote to memory of 1560 2092 ysxow.exe 34 PID 2092 wrote to memory of 1560 2092 ysxow.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe"C:\Users\Admin\AppData\Local\Temp\084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\ysxow.exe"C:\Users\Admin\AppData\Local\Temp\ysxow.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\hylon.exe"C:\Users\Admin\AppData\Local\Temp\hylon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD567a56aaa62b91c3cd7aab35fcd3af867
SHA198bb1c207b8abe6cb9effd63acc12e38eadfe2da
SHA256daeac78219c24c64d8f1edb80059e024de0c7a900d94d542056a4cad73d35a18
SHA5125d1d7065979ca65d42eb9e2d67feaed27459b2336023b9a736fe45cc1c34bad22d3dab3f956fd1de064bdd08ccc5eb11dab98c630da9c8c520b5102b2e7e6570
-
Filesize
512B
MD5974eefd148655ae629bdc14d8a339f3c
SHA144ada3e870128ac7dad955e84ca5088011cf70c3
SHA25638113a79683ab289e06cedc3270b007f67af6f1939fe90e28c99882dcc6dae3a
SHA5123cb694bd82b3360bd8fb4d157d68ef41908924680b982e9e29207c787f46166d41b26538c28f2ed8bd94554a6e766b83902c29fa41af2263a2194281a1d17876
-
Filesize
336KB
MD507ca9f085bc1307b9893030fee2f8774
SHA1f59fec993157a8d3d3b264e66dc3c9b8f05ef70d
SHA256376f218d3ca6a99035d95dfe1506cbe0b18f31d7cd81eddea1265f3ae90c5b5b
SHA5126756763f9d7d7548e1a2165e7d563b3fa24396fabde2a28156a89d0d403b2ba749e4b74d021007ec790d5d074efd678a17109553fa0c62683bc4241e73b1cd10
-
Filesize
172KB
MD5f7375132c0105f687f5131e17ebb0439
SHA1830fbb56803da9f4f93a86b1d7d0bc7297d320a2
SHA256a1b154f115d3c5304c51948447287066ae65bffb3d63c7687110c47a57864bb2
SHA512b871b063860140f8498095f0528bfe4f05308e35c96a6a797875b5ebacf5f52ec3838f833ba289ddd84d9ac650826eb7c44281d84a5c7381c758ed61ab718b62