Overview

overview

10

Static

static

10

78570dac5d...af.exe

windows7-x64

10

78570dac5d...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe

  • Size

    417KB

  • MD5

    eafa2454b57dc341ad9acfbd60f6876c

  • SHA1

    768d91ec07f7a4e636e7df1c5174f280d61f0d62

  • SHA256

    78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af

  • SHA512

    e5315102e22a37a44f68b6f3a904352837947567003170321133eef7d3f798825c5d1fa5246358143224e34fb476e2321e84e1331850325a65fea4c761468967

  • SSDEEP

    6144:TzU7blK2P2iCWhWapKRaRXOkN4Swel6f3IsIZOmop:vU7M1ijWh0XOW4sEf4O3

Score
10/10
urelasaspackv2trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe
    "C:\Users\Admin\AppData\Local\Temp\78570dac5d98a53190bc5803a188c5cef2666c58d421bfd28547d5e6caff53af.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\dopas.exe
      "C:\Users\Admin\AppData\Local\Temp\dopas.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Users\Admin\AppData\Local\Temp\baeha.exe
        "C:\Users\Admin\AppData\Local\Temp\baeha.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:3736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      340B

      MD5

      712af6a6df3dd1cf43c3f568523adcc2

      SHA1

      1a0d9f81191f657061eefa6289d71ce1cd9bc5f7

      SHA256

      e9e386a7fab1b0a2bbb5fc81842f8d536950710be0deab1c211b8b38db0ae57a

      SHA512

      b31d7d52b375f8fec6ddd9a23ad66a9636394fc34e59e74e2c036ff4f31972da3e10be85f008e042179e836973abb447547eddbdc3557d62aed5dd69a36ad13d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\baeha.exe
      Filesize

      212KB

      MD5

      9191bf8c90aad81aa06005ef221f77ba

      SHA1

      86ba4de3e7a2216c7d8ab7bacb3b9bf4a95c5964

      SHA256

      9df314f5626fa789449ca673f36e4e2a68ce06318abd73b70983d956947d6edf

      SHA512

      95cdd66e811ad9ea8fe400816b967edf3a50f5ca9ee6c0b86c451990ec9635f600cc41ec92873bf7fbbf0093986d2186be9080122ad3f54614ce51f69e650486

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dopas.exe
      Filesize

      417KB

      MD5

      03947a390067c8147e2208572cb71313

      SHA1

      40661a487a768cae7b14ed5b0102c32787b3d4a9

      SHA256

      8a2b221a4ae88368159ec43f4be08e41ed6d5910f43dff5105a792d1fc573de0

      SHA512

      98e706ab563f683140ad163786bdbd0725fdd3a3e63330ff1d967c235260f0398895477fd86b0161c7ad96b677b38d5c34cfb964dedb359a0786b656082e7d56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      072142c91e8b6a42e89d2a69cddaa71a

      SHA1

      96c82f2035fb2425a4133d4fde7fdf1e2481fc3a

      SHA256

      060a1b4c6653bc3b1cd35d3644482b2ab7d591a8752d6cefe8b65190b20fe1ec

      SHA512

      b137accdd92207f1bb07c72fd8f5275bf9f47a8739d0b418e3e8369eddc8d220d6028e0db5141042cf84f80a8286b21c3c7e8ce0f9eb80f80cfd2fec3f21a03f

      Download Submit

    • memory/64-26-0x0000000000400000-0x0000000000465A6E-memory.dmp

      Filesize

      406KB

      Download

    • memory/4192-27-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-25-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-24-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-28-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-30-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-31-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-32-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-33-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4192-34-0x0000000000150000-0x00000000001E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4984-0-0x0000000000400000-0x0000000000465A6E-memory.dmp

      Filesize

      406KB

      Download

    • memory/4984-13-0x0000000000400000-0x0000000000465A6E-memory.dmp

      Filesize

      406KB

      Download