Overview

overview

10

Static

static

3

f2ba1c1c4f...30.exe

windows7-x64

10

f2ba1c1c4f...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe

  • Size

    6.5MB

  • MD5

    92e0624826b4f17f1fcf2b53e454c216

  • SHA1

    f079f61759d17db1440b09837cdc99817c42a65b

  • SHA256

    f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530

  • SHA512

    5b4cfcebe3b2faee309baa3e4d90f4157e055c9044868f95fcec9080a72f76384a31967e0c3ca48435bbcf66ebaa7be5fc718e3c4d86f3c6ec103f4234ea61e3

  • SSDEEP

    98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSD:i0LrA2kHKQHNk3og9unipQyOaOD

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • UPX dump on OEP (original entry point) 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
    "C:\Users\Admin\AppData\Local\Temp\f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\wofux.exe
      "C:\Users\Admin\AppData\Local\Temp\wofux.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Users\Admin\AppData\Local\Temp\ogtoad.exe
        "C:\Users\Admin\AppData\Local\Temp\ogtoad.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Users\Admin\AppData\Local\Temp\abifu.exe
          "C:\Users\Admin\AppData\Local\Temp\abifu.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:1608
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:1164

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
        Filesize

        340B

        MD5

        825d427f5c1c4332b39ae0841a9fbb4d

        SHA1

        5836bb85e53beceb20aa6c1ede8fa941bfdd1037

        SHA256

        2161e402289cedf7c2fd166461968b946279cc72acc1a470b9b4e4bfb6b006d1

        SHA512

        99171eeb3d8271b6899677f869596b1bd7bed78b5b260322eff42e61b3bd16f9ccfe3bdda8c1a61310cbf459c015ff82c4b15dc088c3b0aba864a42c5479d472

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
        Filesize

        224B

        MD5

        f77fbacb034d93b4a66410bc285030d7

        SHA1

        31d16478d19382d0cefe0eb33ac17ae4361ac8fe

        SHA256

        95a4090bc7f9d14c507dfb6f5532750709c86ce441bdafa28f66f663d1dc0e9e

        SHA512

        0695889683229ef4478964b7b201a76e3939c4b78778021c6baff200ca211fa045e3f58d5487a2e0f23db958f31498ae27bdb72896f57299e69eef9aa893e814

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\abifu.exe
        Filesize

        459KB

        MD5

        3e5a25cf11c84c192fe384b69a95d673

        SHA1

        d57dc941b3954c65e8310b808d2007d3b84d3fde

        SHA256

        a0c37666ab9f666fff7c884cfb8d6f5e810fa7067299b0a83923a23828b4ff8d

        SHA512

        944dc2d0a75f0751023c785cc8d9ac352f85b7a648903787931dadaae2d5ddf9c897913dc9660c5efc3266f895a335459da1447d23c26f5028ce20140a8e66b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gbp.ini
        Filesize

        104B

        MD5

        dbef593bccc2049f860f718cd6fec321

        SHA1

        e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

        SHA256

        30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

        SHA512

        3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
        Filesize

        512B

        MD5

        65d14e7edd662b8e18be1e04571b9c61

        SHA1

        9b49bb73f0baf3ebca11ea7fa2163391895fe0f9

        SHA256

        eeaa4214400930f63b20ff79a96a1779a58ccfcffb2ba0ccc190d093a5003ccc

        SHA512

        259398c5486eeb27167640437fa70b6b671cba5c8b1a914ff8929e5e2212f27c84bd9b5b638e4cafbe627574dcf83c5ac2865c7aec6c511603e55b651593fe96

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wofux.exe
        Filesize

        6.5MB

        MD5

        238ab91fe1c0eb6e9607a4d3ace97ca6

        SHA1

        a90f57afb854b30c2e1652c76139313db4cd9cea

        SHA256

        f152bd8cf983dbf7b06033b7c014470f23c275155f89ea304efe3208428d619b

        SHA512

        e15e36d28e798769fffd8d4795f8e852917735247ca11965ea266c6e1a0db8d87052cd1cc685ca0d01a9e5ab634ce3ee50d443eccf43a11e00b16b49dd27128f

        Download Submit

      • memory/1432-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/1432-27-0x0000000000F40000-0x0000000000F41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1432-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1432-28-0x0000000000F50000-0x0000000000F51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1432-29-0x0000000000F60000-0x0000000000F61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1432-34-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/1432-30-0x0000000001090000-0x0000000001091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1432-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/1432-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/1432-31-0x0000000002B60000-0x0000000002B61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1432-33-0x0000000002B80000-0x0000000002B81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1544-53-0x0000000002A70000-0x0000000002A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1544-49-0x0000000002A10000-0x0000000002A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1544-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/1544-48-0x0000000001160000-0x0000000001161000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1544-51-0x0000000002A50000-0x0000000002A51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1544-52-0x0000000002A60000-0x0000000002A61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1544-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/1544-54-0x0000000002A80000-0x0000000002A81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1544-50-0x0000000002A20000-0x0000000002A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1752-69-0x0000000000400000-0x0000000000599000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1752-73-0x0000000000400000-0x0000000000599000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2220-10-0x0000000000526000-0x000000000087A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2220-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2220-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/2220-1-0x0000000001010000-0x0000000001011000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2220-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2220-25-0x0000000000526000-0x000000000087A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2220-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/2220-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/2220-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2220-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

        Filesize

        10.9MB

        Download

      • memory/2220-2-0x0000000001130000-0x0000000001131000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2220-3-0x0000000001140000-0x0000000001141000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2220-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

        Filesize

        4KB

        Download