Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Resource
win7-20240903-en
General
-
Target
1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
-
Size
337KB
-
MD5
e6b76480839da7c11075198a296521db
-
SHA1
16ea461d8ccd09bda7f9535d24448bc46d897425
-
SHA256
1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60
-
SHA512
3f0a99d13b9a77f0570f45c9be72c0e52ae34101de65924ee6091e2df8238c1e9e433453569b17ed8caa142fb603c3c163574a9f19063b0793a56665dc4fc440
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKCM:vHW138/iXWlK885rKlGSekcj66ciZ
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2108 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2288 sodoa.exe 2908 jujyd.exe -
Loads dropped DLL 2 IoCs
pid Process 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 2288 sodoa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sodoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jujyd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe 2908 jujyd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2288 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 31 PID 2256 wrote to memory of 2288 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 31 PID 2256 wrote to memory of 2288 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 31 PID 2256 wrote to memory of 2288 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 31 PID 2256 wrote to memory of 2108 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 32 PID 2256 wrote to memory of 2108 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 32 PID 2256 wrote to memory of 2108 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 32 PID 2256 wrote to memory of 2108 2256 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe 32 PID 2288 wrote to memory of 2908 2288 sodoa.exe 35 PID 2288 wrote to memory of 2908 2288 sodoa.exe 35 PID 2288 wrote to memory of 2908 2288 sodoa.exe 35 PID 2288 wrote to memory of 2908 2288 sodoa.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe"C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\sodoa.exe"C:\Users\Admin\AppData\Local\Temp\sodoa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\jujyd.exe"C:\Users\Admin\AppData\Local\Temp\jujyd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5a0c488d232db3ca63d36e74b97204d55
SHA1208d0c1a9151a12e595a11e8619232e6cd127acb
SHA25611b4793224a20e7bd0c38fc6fb7fb81bbe7aee3223dc73ba80bcddd263054c05
SHA51273a0f5565c767226837add0668e88825f0cc18b90859b32225eb5e5da5d93002c8a8cda5a01c07d8539e205e9ce393deb745a99c5e207409b88aeac4327721d7
-
Filesize
512B
MD561783815239d9808b7295c0b82e4787f
SHA19203528fc9909f4f8e850f7614d6b563d1600f5a
SHA256ee6532efdef15e8cd90f60c6d0950faf5dcbbcbb6e7afdf5b7d20809efecaed3
SHA5121cabae6004f5223edf46b5c755af28c69f8ce39d1fae92017eff1db17b24be0efa9196a948ab814d7fcdfebf77d8a11258ead89744fe58c129b08ae773ec1149
-
Filesize
172KB
MD58f8b4730a0b26c5a6e016db92b9cd1fe
SHA18e70e5489a70aebb1aefb0ec42d1897e126da250
SHA256c458c42fea822e30841f65550fba1393ec6e4a86ebf8f59ca257d32418e8b3f4
SHA5129be311268a1398628c1d40382e9bc6f87308881e9d7b3a9ce8000392fb2c6f790e5e680b41e03b4eb9dc1bcfd9aba3efe544d198a7f5773a901328f96efa8107
-
Filesize
337KB
MD57de597c430c8d604ce7a044f6586e3fe
SHA17771e6cc0ac62a73e932ba97c253843a5a653061
SHA256253ba70fe70edac964ec1154df5a396104371dcead9b1161b3d4af24c3905bb6
SHA51298df6e4e45bf1033fb81aaa19675b71185441a7ca5f1753a87144a339d794afbba98b6def78bb74ac366c7a0e010c704a2c1201b8e96f4f20cf03bf3a9d3b9ed