Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 03:27
Behavioral task
behavioral1
Sample
77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Resource
win7-20240903-en
General
-
Target
77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
-
Size
438KB
-
MD5
b40e208afec48c1c8d1e41e87d015453
-
SHA1
56fedd2c3fa4b49bd550ef362180e8d7a26b334f
-
SHA256
77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09
-
SHA512
f104219b752306fe690607f2d123dd2d1604d6b36257eaebe58696bbd2beb2454b32b20c7779ce2a24af083ec2cc1744fe3e53323448430e39d88be9ffed0316
-
SSDEEP
6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMM2:rKf1PyKa2H3hOHOHz9JQ6zB8
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2720 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2480 qykic.exe 2876 welyl.exe -
Loads dropped DLL 2 IoCs
pid Process 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 2480 qykic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qykic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language welyl.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe 2876 welyl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2480 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 31 PID 2504 wrote to memory of 2480 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 31 PID 2504 wrote to memory of 2480 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 31 PID 2504 wrote to memory of 2480 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 31 PID 2504 wrote to memory of 2720 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 32 PID 2504 wrote to memory of 2720 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 32 PID 2504 wrote to memory of 2720 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 32 PID 2504 wrote to memory of 2720 2504 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe 32 PID 2480 wrote to memory of 2876 2480 qykic.exe 34 PID 2480 wrote to memory of 2876 2480 qykic.exe 34 PID 2480 wrote to memory of 2876 2480 qykic.exe 34 PID 2480 wrote to memory of 2876 2480 qykic.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe"C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\qykic.exe"C:\Users\Admin\AppData\Local\Temp\qykic.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\welyl.exe"C:\Users\Admin\AppData\Local\Temp\welyl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD518cf1d671fe761828e90f702d62429ba
SHA1e2bde96e97376e360e63107ca7c97bae293545ca
SHA256a84a755ffdbdaa156ddb7f8143e74d3f64e00de1c01cd0382c38a9b6eae0ad77
SHA51242a26336d3c0c1184ad03c2987e18f331205a5df82babfbe4d13fa198066ca4bc8ee26543e3963878cb95a59191d8c477a3a975e0c8ea0cb2b31b24fa1202282
-
Filesize
512B
MD55ebc4eaef68c33b55e90d7a961bc7765
SHA17d6753a015a0dad0305ad6a92d2742f2a4d94132
SHA2566c920b4af9ec01a47a4fcd93969fcf1acc8b735f2ec0a1b35c934cb85c33b13d
SHA5124561f13429bb04a63db74c60dc1b1d455cd036f54b44c00163f1e05755e3bacf283016a9b4152de07eeedb092f56fca0b7bffbf1f3cc82c0d26d2254937ecf4e
-
Filesize
438KB
MD5adff480c42bb68cfe0e42494af2d4805
SHA196455d7bed931398830b52b1b43c504e72745ea2
SHA256c1853dc00aef2d50be429f9a7b96c339e62620c3262e64f7707675c9064e39ba
SHA512eab4600163a971080cf28c3ee1434131ee382e41aab607269fc0bfc1e7fb6a4e4ff9a74a8686a1d0db1cd5db5d768f5b878c2c64f8a9af54db0235b690d5ffdb
-
Filesize
230KB
MD5b8aa367b0274a58d9bcd3d6f8a31f671
SHA11b13ff8f92e1a273f736b9c79b07b2cbf92c29f5
SHA2569972d7028c5d81347e71ab116046acc81583d0ebc56d1a4a07ef3c4dbbe9369e
SHA512a793138129898f7e12de055c94eca296f554d5653113b8f455f00fa4e72a70986a9ee1729ec5c97f50d4934be5fae8556ae17af4f3f592291efcf31283caa3de