Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 01:41

General

  • Target

    eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe

  • Size

    373KB

  • MD5

    55eda1ca8ed336f54e1d9846abece7ec

  • SHA1

    7510064da4f0992ce1a8f0a7e3ad95d46512a559

  • SHA256

    eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748

  • SHA512

    02ad56ebe494a76ba75a214e680e9ad9eeba46fd84da938b96d4c352ead751ece83d5ceb64fe333660d0818c5035c99c0336bad04cd274d831bfde753ab9990b

  • SSDEEP

    6144:LlwArTEDSCs5wL0q/mdwoJgugiIX9Ghal1qU/YagPOl6xVrprI3F:LKmQDSCs5woMmd9axVNG4qugPO+V8

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • UPX dump on OEP (original entry point) 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe
    "C:\Users\Admin\AppData\Local\Temp\eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\nosit.exe
      "C:\Users\Admin\AppData\Local\Temp\nosit.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Users\Admin\AppData\Local\Temp\capyj.exe
        "C:\Users\Admin\AppData\Local\Temp\capyj.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3204
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:1724

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

            Filesize

            340B

            MD5

            25bd150d109fb53389a2cf661df68153

            SHA1

            e91680efee4cc527c342cddecd48a36a82103403

            SHA256

            dd59bd7184b5c42ece2f987a4b1c1364dbdf49d167cd5801aed11bfa3fe2edf1

            SHA512

            1c6278dc3ac0557cd2702f3afbd447add58431f20c4ae90366417cbfd99e444b23edca02e099a5b3330d41a49089ca97478931cc262b8795866445645cc822ea

          • C:\Users\Admin\AppData\Local\Temp\capyj.exe

            Filesize

            161KB

            MD5

            4d3b2458e34a7379220b397e9569df91

            SHA1

            536ea53a668fb349b1698dababa198b9f4cb701f

            SHA256

            ba4559fe75a96473f4796f1c3e1507271ddd903cb9205f1cc07dfa6de0910b69

            SHA512

            b8d3679aefecd8544561bd15fcbc508abce132ac53c16ba5fd6f26f4fdedbc5342d2b57ba0a0b285700a98826d9d38704a4d5dc302e62648d45bb89379130713

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            4749254221d314690f003206a386b614

            SHA1

            2585b79a6a8df7dd181bddc80d931dd18875fedd

            SHA256

            db7b1d0149e6e4d84972056bfd88adc83b4d7233da53fbb97260f78bdb65bca4

            SHA512

            e4040adf1fc9ab782e7cd4fbd42c52f28fb9d384a83bad4b8928e955bbd65dee63b54e491edd0855227f645f1c6b68f5826b51fe45ceb05fa5d2b9cd1e257f55

          • C:\Users\Admin\AppData\Local\Temp\nosit.exe

            Filesize

            373KB

            MD5

            68320299aee7ab92ec40e95f033f3964

            SHA1

            7bcb2041e08beacfffaf9383aaf583dc941304c4

            SHA256

            f65a77a54eda638c0bf2e9b40dd47ad30b54f3d8e264110b515519b0dee03dd5

            SHA512

            50c57e2630d7678f7c0d78c93a7ff72451a3cbbb6005ce84cf72e82b1c0596354694b5b5270217609a5586428f9083d7d4578b0fe5aa0f2083afe485724ec6d0

          • memory/1892-14-0x0000000000400000-0x000000000045E000-memory.dmp

            Filesize

            376KB

          • memory/1892-0-0x0000000000400000-0x000000000045E000-memory.dmp

            Filesize

            376KB

          • memory/3200-27-0x0000000000400000-0x000000000045E000-memory.dmp

            Filesize

            376KB

          • memory/3200-12-0x0000000000400000-0x000000000045E000-memory.dmp

            Filesize

            376KB

          • memory/3200-17-0x0000000000400000-0x000000000045E000-memory.dmp

            Filesize

            376KB

          • memory/3204-26-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB

          • memory/3204-28-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB

          • memory/3204-30-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB

          • memory/3204-31-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB

          • memory/3204-32-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB

          • memory/3204-33-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB

          • memory/3204-34-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB

          • memory/3204-35-0x0000000000B70000-0x0000000000C01000-memory.dmp

            Filesize

            580KB