Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 03:27

General

  • Target

    77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe

  • Size

    438KB

  • MD5

    b40e208afec48c1c8d1e41e87d015453

  • SHA1

    56fedd2c3fa4b49bd550ef362180e8d7a26b334f

  • SHA256

    77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09

  • SHA512

    f104219b752306fe690607f2d123dd2d1604d6b36257eaebe58696bbd2beb2454b32b20c7779ce2a24af083ec2cc1744fe3e53323448430e39d88be9ffed0316

  • SSDEEP

    6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMM2:rKf1PyKa2H3hOHOHz9JQ6zB8

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
    "C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\qykic.exe
      "C:\Users\Admin\AppData\Local\Temp\qykic.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Users\Admin\AppData\Local\Temp\welyl.exe
        "C:\Users\Admin\AppData\Local\Temp\welyl.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    18cf1d671fe761828e90f702d62429ba

    SHA1

    e2bde96e97376e360e63107ca7c97bae293545ca

    SHA256

    a84a755ffdbdaa156ddb7f8143e74d3f64e00de1c01cd0382c38a9b6eae0ad77

    SHA512

    42a26336d3c0c1184ad03c2987e18f331205a5df82babfbe4d13fa198066ca4bc8ee26543e3963878cb95a59191d8c477a3a975e0c8ea0cb2b31b24fa1202282

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    5ebc4eaef68c33b55e90d7a961bc7765

    SHA1

    7d6753a015a0dad0305ad6a92d2742f2a4d94132

    SHA256

    6c920b4af9ec01a47a4fcd93969fcf1acc8b735f2ec0a1b35c934cb85c33b13d

    SHA512

    4561f13429bb04a63db74c60dc1b1d455cd036f54b44c00163f1e05755e3bacf283016a9b4152de07eeedb092f56fca0b7bffbf1f3cc82c0d26d2254937ecf4e

  • \Users\Admin\AppData\Local\Temp\qykic.exe

    Filesize

    438KB

    MD5

    adff480c42bb68cfe0e42494af2d4805

    SHA1

    96455d7bed931398830b52b1b43c504e72745ea2

    SHA256

    c1853dc00aef2d50be429f9a7b96c339e62620c3262e64f7707675c9064e39ba

    SHA512

    eab4600163a971080cf28c3ee1434131ee382e41aab607269fc0bfc1e7fb6a4e4ff9a74a8686a1d0db1cd5db5d768f5b878c2c64f8a9af54db0235b690d5ffdb

  • \Users\Admin\AppData\Local\Temp\welyl.exe

    Filesize

    230KB

    MD5

    b8aa367b0274a58d9bcd3d6f8a31f671

    SHA1

    1b13ff8f92e1a273f736b9c79b07b2cbf92c29f5

    SHA256

    9972d7028c5d81347e71ab116046acc81583d0ebc56d1a4a07ef3c4dbbe9369e

    SHA512

    a793138129898f7e12de055c94eca296f554d5653113b8f455f00fa4e72a70986a9ee1729ec5c97f50d4934be5fae8556ae17af4f3f592291efcf31283caa3de

  • memory/2480-28-0x0000000000A20000-0x0000000000A8E000-memory.dmp

    Filesize

    440KB

  • memory/2480-21-0x0000000000A20000-0x0000000000A8E000-memory.dmp

    Filesize

    440KB

  • memory/2480-27-0x00000000030F0000-0x000000000318E000-memory.dmp

    Filesize

    632KB

  • memory/2480-10-0x0000000000A20000-0x0000000000A8E000-memory.dmp

    Filesize

    440KB

  • memory/2504-18-0x0000000000C40000-0x0000000000CAE000-memory.dmp

    Filesize

    440KB

  • memory/2504-6-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

    Filesize

    440KB

  • memory/2504-0-0x0000000000C40000-0x0000000000CAE000-memory.dmp

    Filesize

    440KB

  • memory/2876-31-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2876-30-0x0000000000B10000-0x0000000000BAE000-memory.dmp

    Filesize

    632KB

  • memory/2876-34-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2876-33-0x0000000000B10000-0x0000000000BAE000-memory.dmp

    Filesize

    632KB

  • memory/2876-35-0x0000000000B10000-0x0000000000BAE000-memory.dmp

    Filesize

    632KB

  • memory/2876-36-0x0000000000B10000-0x0000000000BAE000-memory.dmp

    Filesize

    632KB

  • memory/2876-37-0x0000000000B10000-0x0000000000BAE000-memory.dmp

    Filesize

    632KB

  • memory/2876-38-0x0000000000B10000-0x0000000000BAE000-memory.dmp

    Filesize

    632KB