Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 21:37

General

  • Target

    8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe

  • Size

    453KB

  • MD5

    21b9b58fa2aa01359b6d84e2b402ea66

  • SHA1

    486d4169c82b0574e3c8d65c67dd123d539f67ed

  • SHA256

    8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793

  • SHA512

    d2fe91817f56f74453d00d0eb4d49e4cca22960a51d7d9eaa2d59cb660e4b0207c429e53505a9630f7fb58a6cebc92b827b0f5727fcf65e5ae8d3dd5c9477468

  • SSDEEP

    6144:Z8efQ6QPJGcLbjg0YSZK4UnUHOkb8734A2P6gt99Wvtxrpp29xSE3v/:c6QPJGcE0XKRg04zPZt9mtPON/

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Detects executables built or packed with MPress PE compressor 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe
    "C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\qecez.exe
      "C:\Users\Admin\AppData\Local\Temp\qecez.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Users\Admin\AppData\Local\Temp\qukai.exe
        "C:\Users\Admin\AppData\Local\Temp\qukai.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:720

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

            Filesize

            340B

            MD5

            2ed49363141b3a651ae2f19a7ce5004e

            SHA1

            0e602feeff46414a51675b0d0989c7bb5ea06a1f

            SHA256

            b91b3d683ec592cae7c070a6ce8138d45bfbaa5b532fa4cebeee94cb2ad520e1

            SHA512

            6685704ab2257d970b3ab298ced5fa46ca9840eadc7cae5ff1ad55d6529ceb9d5a91412f581c6f9c9ef794049e193ab03c83c7534bd78cec35d122f22a5e30c2

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            04220b628690481880d00212a5ec576c

            SHA1

            6bb9aee2bf8eb2af45d1afb5e709b802d641644e

            SHA256

            0b04d52ad167b8824998ca3372c293a611f08a465b06000e77cd4a5707d351a6

            SHA512

            7a8bd119b42c7f6e846a8904fabe46f1d66e4f568527ed13e276979a8c6f6a9522448b7a099863cc40529331739439308eccec9bf9ac70b6055183b88e428449

          • C:\Users\Admin\AppData\Local\Temp\qecez.exe

            Filesize

            453KB

            MD5

            90d3bd60a314754fa3f6ed64e0f54130

            SHA1

            f714204819e95791c36bbb6536bc33d1e857d634

            SHA256

            43cfff80f8c39b0c0b0f0f417aaa595a5a5fbfc32b314dbea62967ba18d1bf4c

            SHA512

            d67db70ea1362d1aa02287060945ab5ea63fc866401f00267e32a643e000eb64a4c912c5ea33b4e341467e4dc1fb01d7baa7d1e0dfb4ec4efd5e45ceb586f81f

          • C:\Users\Admin\AppData\Local\Temp\qukai.exe

            Filesize

            297KB

            MD5

            cec2aea1f829b748ea2bc067db445e13

            SHA1

            c28b0f81a5103de9f3af467de2d96816148ac3f2

            SHA256

            9d57d240f2a1ce9f2fe207a03f4a46ab810459d4eb91d104eec23f22d79214b5

            SHA512

            87d3e988e3c2ce42ec6a20d5435396b759449f8cd9cbc8488d6916ac4a16cc2f09be9d83f309c828e32d9949804cb15f780c923a268b2b79ebbb8212284ead98

          • memory/1988-0-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/1988-14-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2016-12-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2016-17-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2016-26-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB