Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 00:55
Behavioral task
behavioral1
Sample
e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
Resource
win7-20240903-en
General
-
Target
e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
-
Size
393KB
-
MD5
73005a47e70ee59905df8dc1d81cd2df
-
SHA1
86273bb1e238b77f5308f67217cb9d38899a9bf4
-
SHA256
e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e
-
SHA512
d76dae54212429764bbe8309f7b73de3c5e85ff4096cc4bffe390b82ebf1469bc4133aef0fe0d8c460923e60240f0573b5f0710c3fb354706b1faad82c47fa13
-
SSDEEP
6144:y5SXvBoDWoyLYyzbpPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrBS:yIfBoDWoyFboU6hAJQnrS
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2096 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1040 tapyj.exe 2484 ihusyf.exe 1716 coxit.exe -
Loads dropped DLL 5 IoCs
pid Process 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 1040 tapyj.exe 1040 tapyj.exe 2484 ihusyf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tapyj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ihusyf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coxit.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe 1716 coxit.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1040 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 30 PID 2120 wrote to memory of 1040 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 30 PID 2120 wrote to memory of 1040 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 30 PID 2120 wrote to memory of 1040 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 30 PID 2120 wrote to memory of 2096 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 31 PID 2120 wrote to memory of 2096 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 31 PID 2120 wrote to memory of 2096 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 31 PID 2120 wrote to memory of 2096 2120 e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe 31 PID 1040 wrote to memory of 2484 1040 tapyj.exe 33 PID 1040 wrote to memory of 2484 1040 tapyj.exe 33 PID 1040 wrote to memory of 2484 1040 tapyj.exe 33 PID 1040 wrote to memory of 2484 1040 tapyj.exe 33 PID 2484 wrote to memory of 1716 2484 ihusyf.exe 35 PID 2484 wrote to memory of 1716 2484 ihusyf.exe 35 PID 2484 wrote to memory of 1716 2484 ihusyf.exe 35 PID 2484 wrote to memory of 1716 2484 ihusyf.exe 35 PID 2484 wrote to memory of 1668 2484 ihusyf.exe 36 PID 2484 wrote to memory of 1668 2484 ihusyf.exe 36 PID 2484 wrote to memory of 1668 2484 ihusyf.exe 36 PID 2484 wrote to memory of 1668 2484 ihusyf.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe"C:\Users\Admin\AppData\Local\Temp\e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\tapyj.exe"C:\Users\Admin\AppData\Local\Temp\tapyj.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\ihusyf.exe"C:\Users\Admin\AppData\Local\Temp\ihusyf.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\coxit.exe"C:\Users\Admin\AppData\Local\Temp\coxit.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1716
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5e59bac5f1cd310a18397863769b894b9
SHA1190928c3b9efbbc17f43e0ae2163b716dedbd63e
SHA256395f91d954e87bb0d69016a2d9085624c41402fff84d4e783d8eef3def9f8680
SHA51206762c398dade421620e4d5e1be4117bcce95fe0fcd97d32ad6891b6136239110264569511cbe182c6f75fe3157be30880d30ab233befd720cd2dbd777901e62
-
Filesize
224B
MD59fa4107ffbf1baa8084a4bc3b1fbee6c
SHA11c487798101fc8c43378afaf21bf77a867bae60d
SHA256b4be297e1d2a812bd391b079fb78f3337d9d5e240ddeec4da14e433c7044bbb1
SHA512ebbbb032dd211c5ddd56d1d6490ffec33b1426a3c1f03e9d9d50cb129472bbcb58fccf450377f37210dab3489a649a8f8638af7cb4d7e3c376f69abe8dfc1b38
-
Filesize
223KB
MD598d398b6dd2d899d844fccb96ddeaac8
SHA1d162a263d3f3870648cf149f9f9874475b8a42ac
SHA256495d575e51530d6d306aa928158f7cd2f769e5adb5d831683ecbc5687339062d
SHA512d8b1c493b6d5e6145c0f0383f99deaa16c7116f697d01d18abfc4b20b3206a41873a801642cc684df07394a0b66b5b10997a6da673ab5920d283cb7418fefdeb
-
Filesize
512B
MD541c67c5f58b9bfb80c8750203a04c743
SHA1c06a5687686c3b7144baf0a73244a3f2c921d1cb
SHA25686cd0420f32ccc65eb80a65c495002e1ff007f71777fd13b9d5e77726c19ebd9
SHA512d37941f542644bbb83e8f4fecd17f5400c391b29349435f882fb9328a040cabbd2f31d316179bdb67ba5bf85600d34c743d6871253577bdec9cbd82661cc3c4a
-
Filesize
394KB
MD54711094ba712b01f90496537a23988b0
SHA14f403921f861f659457244b85d5fb6009d28c998
SHA256c7ad1a57d5aeaa288f685c3de61a0286466b846113c7befb84272494de281297
SHA51239fd3ca69786ec8401b2390f8065fff09bf7c34572ee733bf60003664567576d6e9960614fadb4289d2a5c2e9fea727e20ceb35feffea2993529d52ed13e6a22
-
Filesize
394KB
MD5973c2f9e752606583e489865e556ff7b
SHA1af04be981e986b79591d43020a41fe1b5b1cbb96
SHA256ed4f37b3f2d587932dbe9d007b746826446af2dfa9ba7fee581693b9ab89ea84
SHA5128c0aadbbcf1533049f5a550fc202f26aabedf7430afee91293a698d5d49ea7f0b0cdccdb50b66d298039baef38811e6c891868662d4044de2108ad3b87b7232f