Overview

overview

10

Static

static

10

19ca4330fe...ce.exe

windows7-x64

10

19ca4330fe...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe

  • Size

    589KB

  • MD5

    1eb26069580f7ab03e1121f479892e16

  • SHA1

    47a4edfcacd3e4538a17f60a8f0714b70cac7ac4

  • SHA256

    19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce

  • SHA512

    5b8cbab02964aae8c63e0a4f0a308282b1d640f8a7a6a3d8f3e7429edc860d2d12233b6369b83257084fc1da08dd63c685d3d225bcc7a6b2e261d50d5c4373fb

  • SSDEEP

    6144:+ajY1oC+/U8Vjlx4kk9HKda4L38+V8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQx:OOlx4kk9HKda4Y+WoSiQi4kVdcQzjo

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • UPX dump on OEP (original entry point) 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe
    "C:\Users\Admin\AppData\Local\Temp\19ca4330fe650661d5afc87489240135589f3a2f4d5668f004a8a7c46ad306ce.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\deejy.exe
      "C:\Users\Admin\AppData\Local\Temp\deejy.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Users\Admin\AppData\Local\Temp\rugeh.exe
        "C:\Users\Admin\AppData\Local\Temp\rugeh.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:1828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      340B

      MD5

      272dd93523598bd45f86eb88c875f853

      SHA1

      ebe5f28a9a8d6b621b739c0383253bb7bb728327

      SHA256

      6f62508d93820aef7d16ab7076a3de7c7d5f4e49bf8a51877e3ad4d3da33c935

      SHA512

      0799a8a44cf5c7e6e05ef6924923ae3e2652860cfc4c34f384094cb1df4a8096315df75fb1a41f3e73e2e4353dfdd950da934677f2914a882639517320a7beb1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\deejy.exe
      Filesize

      589KB

      MD5

      bf9e58e504ca2c4f9069be0dc0639f90

      SHA1

      b2e909ba42b961f0f922666d65917b6dd6095d43

      SHA256

      a777c8b7874027f01df1759e4d0557300d2390b4578cc3bfb8104268da4cc043

      SHA512

      a33cb635b0453c434da088082267761dbc25d2c400b5fb386687591da4b634b852c0181b2e946d6a287de05617f0a223892fd4255c513e0bb7f08789ee85e650

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      05e14856d4dd2fe6d224744ae5a62447

      SHA1

      581965ee0faf4b5b5c4cf1611caccecb9e62d2c5

      SHA256

      50826663125f22b3d7d903970d7b0053a652e2fba71375c876d574eef1b5667c

      SHA512

      969c4e1df61a23a4b732d204514557a812b5582c153855cfcdb3d95cd14e1dd6d26087d2f2e611aff5b52d8bc3c0771900332e8a51fc6a388771cd0c5af36541

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rugeh.exe
      Filesize

      201KB

      MD5

      d8a36f853bb574a1100739235c2473f3

      SHA1

      f8193875a48d6d0784e6ad91ebeca8d908b8a58b

      SHA256

      13b70ad89ee99264d47c9e2a338d2a4e1ac880b86a19faf908eda13b606fd97a

      SHA512

      4506cd96a7fb339477a021e559c6e3c9c6323dc0dba37f700deb5e28dcc9d5dbb458b71b37b4eec6d74c972ce16502ab8b53023414b02cd51f2a95ee3458fa71

      Download Submit

    • memory/1516-28-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-27-0x0000000000400000-0x0000000000497000-memory.dmp

      Filesize

      604KB

      Download

    • memory/1516-30-0x0000000000400000-0x0000000000497000-memory.dmp

      Filesize

      604KB

      Download

    • memory/1516-31-0x0000000000400000-0x0000000000497000-memory.dmp

      Filesize

      604KB

      Download

    • memory/1516-32-0x0000000000400000-0x0000000000497000-memory.dmp

      Filesize

      604KB

      Download

    • memory/1516-33-0x0000000000400000-0x0000000000497000-memory.dmp

      Filesize

      604KB

      Download

    • memory/1516-34-0x0000000000400000-0x0000000000497000-memory.dmp

      Filesize

      604KB

      Download

    • memory/4556-17-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/4556-12-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/4556-26-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/4956-14-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/4956-0-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

      Download