Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2025, 02:26

General

  • Target

    4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe

  • Size

    629KB

  • MD5

    2636e72056b9ee9495548eb46a3a93d0

  • SHA1

    9b5cda0964ceb190487911bab16225d5a4ee63bf

  • SHA256

    4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9

  • SHA512

    13b78f3360b657e0096e2c1e7b49e23d0a3470f4a04cb4a84a65ac3977a329e76751a3d7604ac4c0f9610036f124516315fe4d26a0ebdd57ead4672baa24066e

  • SSDEEP

    6144:hmbmLppYOuakY1q5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupe10b:hma6id1Q8zzkGHVqoq/gI

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9947f580ce0254f3197e05a8247eaab30183ad8b292e6a16fb64701c9c77a9N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\hiakt.exe
      "C:\Users\Admin\AppData\Local\Temp\hiakt.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Users\Admin\AppData\Local\Temp\honow.exe
        "C:\Users\Admin\AppData\Local\Temp\honow.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    ab81a7cae5f3b4956a813b265151742e

    SHA1

    0912a00360776619b058187136f3d14420df14f3

    SHA256

    ca2f14247effbc1b52a50c0763ce0d180d482399ee8f485c185a9a41afc3973f

    SHA512

    ee0da9c1db68586c2d2a8b4bc8cecfd6cb6023445b38f1f765080c1438d09ed786493453fc16a62d070c8c375f0f0c1002e5ecc4027ed677c01116738abbcbf8

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    50baac52e02beb87483916c1f570c9a5

    SHA1

    a7c19f6995814c94e8e66c7ac40e444e993154bd

    SHA256

    4ae109436a52770067626b0a361f5613467319067e404e6df737321959a721e3

    SHA512

    e912000292b2d62edfafb31c495d567751723703c44484a3adf3d5d9ab38ed2d61a9e0f50886e4fa659a14a04b161a4c2f14e93390f16b216a49982ce6179973

  • C:\Users\Admin\AppData\Local\Temp\hiakt.exe

    Filesize

    629KB

    MD5

    c6116c0203cb5b3159507b541bb7473c

    SHA1

    5223b49024cce8b7f1af0cd7cc7890966c8229ca

    SHA256

    75ae2e58e927a7cc67e7985d9a491476ee175f9864efc99ff544abdb2a1b3c64

    SHA512

    f458aefde1d38a68dc2a8a470c4e0f3c40cecd1e889de389c9606e26cb38dd904ad5fcc33e8db5f20d616aa223585a68af4070bfb2fd667f7fa0a56a4a8b8726

  • C:\Users\Admin\AppData\Local\Temp\honow.exe

    Filesize

    203KB

    MD5

    8259f4cb5b72c4af3d736ba15ca06f73

    SHA1

    292acd44bd6532842ee0751b9a78f7439b6c2d38

    SHA256

    632e3f03aa284c2ea32cdf7e4007af3c025c86028c3af8b43ab6b2a48d46eda7

    SHA512

    ad372912146fbdd6979370e445e14ca9991712143d5e5143f7b37ba3f21d9336783fea15c952cc667b0515fe6995fe0035e175ec6c31d0c3acb0a1654aeb589b

  • memory/1256-13-0x0000000000400000-0x000000000049BADB-memory.dmp

    Filesize

    622KB

  • memory/1256-0-0x0000000000400000-0x000000000049BADB-memory.dmp

    Filesize

    622KB

  • memory/2480-16-0x0000000000400000-0x000000000049BADB-memory.dmp

    Filesize

    622KB

  • memory/2480-26-0x0000000000400000-0x000000000049BADB-memory.dmp

    Filesize

    622KB

  • memory/4904-27-0x0000000000492000-0x0000000000493000-memory.dmp

    Filesize

    4KB

  • memory/4904-25-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/4904-29-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/4904-31-0x0000000000492000-0x0000000000493000-memory.dmp

    Filesize

    4KB

  • memory/4904-30-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/4904-32-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB