Overview

overview

10

Static

static

10

a9c0800d6f...d7.exe

windows7-x64

10

a9c0800d6f...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2024, 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9c0800d6f48953b981576b464623ad7.exe

  • Size

    441KB

  • MD5

    a9c0800d6f48953b981576b464623ad7

  • SHA1

    aa0e2fd82c0c55f6d01d06863ca8aaf88255db68

  • SHA256

    81f5fc7247797d5d8dfb5860cd12535ac879ec2507ac934cdf2d05e76c2d59f7

  • SHA512

    229b4abfce3c63fc65c648c2496dbbd28a5388e4b7da05d377f4f030f6b1ee9bedf257dcb8c291ebf2ff87acd2ebc2e74d1e169e0d98827c1702c805bd4e64bd

  • SSDEEP

    6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMb:rKf1PyKa2H3hOHOHz9JQ6zBQ

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9c0800d6f48953b981576b464623ad7.exe
    "C:\Users\Admin\AppData\Local\Temp\a9c0800d6f48953b981576b464623ad7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Users\Admin\AppData\Local\Temp\nuvuf.exe
      "C:\Users\Admin\AppData\Local\Temp\nuvuf.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Users\Admin\AppData\Local\Temp\osibl.exe
        "C:\Users\Admin\AppData\Local\Temp\osibl.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3272
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:1324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      276B

      MD5

      6cb826f6f751321b98ee56ea49757118

      SHA1

      253f34fe009ed7baf89c166eecdfd4e427b602d7

      SHA256

      29783840ec3c668e3ecc60d93fb245c38a6ce76c04065ce8a0749e676e4beab7

      SHA512

      69f09f31aa3ea34d39fd673d9ecc4c5e31089cc1d55ba4da80d67e1d99b45a9fb1cbcab0a03cda6b280a61e764fbfa8c28e82627d36945ea2c3633c606bd7699

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      fb9ce377f9b1fb9f45e68f5ff25046c0

      SHA1

      18f7663a82ccd6983d4033421c836017190e5303

      SHA256

      22aaf8bedca367a0d2521f1997546d8c5dc9abf15870afdcfbd9382ffc94df3d

      SHA512

      305fbaec646bd6d662d53781f790041ebe2fedf896dcbab8427ceedb1fb020cd08566e47fb8f7fe886df057afdf2a434dcabf04a244bee6bb9caee952c7386be

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nuvuf.exe
      Filesize

      441KB

      MD5

      04799bc023c6343f935ba535d87c4a50

      SHA1

      4ffd6076e1432383349c16e67fa35f80887a3356

      SHA256

      0c81286107e1357ac4a35cecd2006cdec7b7a04aa9bea9bac567a395f44d3d0e

      SHA512

      b6b39adedb2094b05e3e6dd7c0f4c7d65da092b345af247e77d2e8e7f0fd1a4f3d1a3e893e59dd1985566ca0d779b3c074c62cde82b7775e699b52bad7303e6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\osibl.exe
      Filesize

      230KB

      MD5

      aa2f9018903d292708586e89b8dad335

      SHA1

      2cfecb1e246fd6599313d245e8c294d2af06aa58

      SHA256

      7d9d9ca2ec3bb1891eaaa0d00c7aaf18deb5d6224003b013a5f70447d8ddc856

      SHA512

      84032d9540cc30c0d014b5dac660141ff047fe9344e823bdfd1abbf01cd95a99d22aae922ae514ab75b86421d8946e71831267a168440b037a42f9e5076ff5b3

      Download Submit

    • memory/1992-27-0x0000000000F40000-0x0000000000FAE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1992-10-0x0000000000F40000-0x0000000000FAE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/3272-26-0x0000000000810000-0x0000000000811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3272-25-0x00000000008B0000-0x000000000094E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3272-29-0x00000000008B0000-0x000000000094E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3272-30-0x00000000008B0000-0x000000000094E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3272-31-0x00000000008B0000-0x000000000094E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3272-32-0x00000000008B0000-0x000000000094E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3272-33-0x00000000008B0000-0x000000000094E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4116-14-0x00000000005D0000-0x000000000063E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/4116-0-0x00000000005D0000-0x000000000063E000-memory.dmp

      Filesize

      440KB

      Download