Overview

overview

10

Static

static

10

5363b7cc15...0c.exe

windows7-x64

10

5363b7cc15...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5363b7cc15bc76f5097a2836e8c8bc0c.exe

  • Size

    412KB

  • MD5

    5363b7cc15bc76f5097a2836e8c8bc0c

  • SHA1

    61a82c0b1cb95e875ab06ee7a4dc08098f204a8d

  • SHA256

    43d080a43009395ba1e85c202bf12804fc5ab128e79cfeeab7f359a1235a303f

  • SHA512

    215235b086985dc420353ddb9a23407acd111851b05cfcd63ad7a80c15f1e6a78792fe010b11ff336b3ac2d4f87b4ae2bc132f6a20be926b4232a2f34b7b5535

  • SSDEEP

    6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgs:oU7M5ijWh0XOW4sEfeO8s

Score
10/10
urelasaspackv2trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5363b7cc15bc76f5097a2836e8c8bc0c.exe
    "C:\Users\Admin\AppData\Local\Temp\5363b7cc15bc76f5097a2836e8c8bc0c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Users\Admin\AppData\Local\Temp\vuqoo.exe
      "C:\Users\Admin\AppData\Local\Temp\vuqoo.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Users\Admin\AppData\Local\Temp\cocil.exe
        "C:\Users\Admin\AppData\Local\Temp\cocil.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:4204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      276B

      MD5

      5c8c644dd14b15c274f17148997925a7

      SHA1

      2c98525c3cf577985df0bbcbfe1e6755564a3846

      SHA256

      a271df78c3e50b046fa7f9ead16c52238584282385052018c6348bc0a4b61588

      SHA512

      83e2a976b1fb5b99dc130661a45d83506ea58d94ee1d07a027b904f8f3955078815dbbb1102a910261a5960f9b00193f7e317e73b5f335c68d2dba1fd8b374da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cocil.exe
      Filesize

      212KB

      MD5

      79cd84cf4a464b55f46c095af0efe4ca

      SHA1

      aa5e9992624e309933396dff2c08a389b24b769d

      SHA256

      7e135286058c56c5b42c24185cb6565fd0e502b23cda02ef69bdec7321c9cc7f

      SHA512

      8529ed58a5d27dd76099e534a7de2693063bd76e2c157cc4e87048c629d585bd94baeb63ec24d534035a191af640680a3f716721e256d95cabaad89155792ecb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      3cbd3a4566b01726e37637a20c0037d6

      SHA1

      638828cf62c8f9c82da06a3ce628ad34a7423e8d

      SHA256

      1834f99e6c24f551840a093a2056e711b99699fcc104c6f8166ccee92b24b637

      SHA512

      9022b9174096b7377311918a16efaeb4b48b9120ef3c603587336d4a30d8056b2d566b8828f26f9dd9c4cd4ad2cd8a4731a095a757b8f7b336b9c4f4017516a9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vuqoo.exe
      Filesize

      412KB

      MD5

      f4a05aa567c98b23e5d48e753a454686

      SHA1

      9988ce575698e92b9bec56663656cb1183333756

      SHA256

      b184ff10c5c7f37edbdc1c95bae67d3a7eac2e96a78473fba9721596bf56a850

      SHA512

      ebf3b92baec29f87ce3e1013187a51ad812ebdaf6cf1d82a3b56303695498fcf4943d9a140dc3bb588fdec247876742dddefd00e63a766f9ffad771572b0a2d4

      Download Submit

    • memory/3260-0-0x0000000000400000-0x0000000000465000-memory.dmp

      Filesize

      404KB

      Download

    • memory/3260-14-0x0000000000400000-0x0000000000465000-memory.dmp

      Filesize

      404KB

      Download

    • memory/3768-12-0x0000000000400000-0x0000000000465000-memory.dmp

      Filesize

      404KB

      Download

    • memory/3768-25-0x0000000000400000-0x0000000000465000-memory.dmp

      Filesize

      404KB

      Download

    • memory/4044-27-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4044-28-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4044-29-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4044-31-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4044-32-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4044-33-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4044-34-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4044-35-0x0000000000750000-0x00000000007E4000-memory.dmp

      Filesize

      592KB

      Download