Overview

overview

10

Static

static

10

685e31d7a1...8d.exe

windows7-x64

10

685e31d7a1...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 19:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe

  • Size

    102KB

  • MD5

    7fe58f1d3995cfbc0b1c24a68b0aa63b

  • SHA1

    5487ebe115e3ab177a45ca63e0f60cab799f837e

  • SHA256

    685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d

  • SHA512

    47904d161ec377c7620aa3be53a6e90bd631f9657537a66cfc45378fd115ba59ec82682557a776d823f041b5929daf987cfdd4471f3e4379e4997e867c65e097

  • SSDEEP

    1536:OVNSf7hyk+I6412V6PMqAax80XAFSrRd4BH/bdF2x:SSf9yk+U2V63XAFSrRKBHTix

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Detects executables built or packed with MPress PE compressor 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe
    "C:\Users\Admin\AppData\Local\Temp\685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      PID:3812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:1760

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
            Filesize

            512B

            MD5

            d8c69e006046149f40585fb3e1bfafb4

            SHA1

            97073fb1d116248dbecd009e4bf873ab45c6c2da

            SHA256

            df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

            SHA512

            b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\huter.exe
            Filesize

            102KB

            MD5

            2e390983c30f6cc59a3773a368f39c9c

            SHA1

            39bf080135c1e7f9735b2debb217ea54832964e8

            SHA256

            00c51893b6cc9f1256420af7632f4d0dde0c47b15fb09073d256a11f9c9ddbd8

            SHA512

            e06a8ebdae502c598c58c92e6ecb0ecffd08c62a22cda2219649f00850ffd7159a1b77f971d2e0dee993e3f442136d61d5d83e4102160a282aeebf3a79354531

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
            Filesize

            338B

            MD5

            cdc850b01239422a7e6613927f52e738

            SHA1

            1dd18d9b3523e1f87961a05694dd5601d1fff901

            SHA256

            696159560667d41313be0214185920209d557197869bbdd6711bdd9e79ec3d6d

            SHA512

            d78ff99dc3492831067c4dd9b7000a6f2683dd4fe23a28883e9bd845fc5cb1b5f1f2a90c7c787f0860ac09e23cd82775b9a10555840ce2f418967800c8e1f693

            Download Submit

          • memory/3424-0-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3424-17-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3812-15-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3812-20-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3812-22-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3812-28-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download