Overview

overview

10

Static

static

3

4ba506ffd4...fb.exe

windows7-x64

10

4ba506ffd4...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe

  • Size

    339KB

  • MD5

    449a290c9f026bfbb8d6fdf999ef89d2

  • SHA1

    d64276f96356441534de07b1ca062764611584e3

  • SHA256

    4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb

  • SHA512

    afa5e0d0e05824152492ed00462f970ab53ebcebc6faa49a0f4836b2cc4b7d5948edfe662db867c66c1de47fadbaefddad42d539b591401525ab972909587e5f

  • SSDEEP

    6144:b/qE9d70WIH9wFHf+MQYVA5TDT44zuQOIFlUMazNWHT7+U:uGIWiiHWnesT/483OciyL

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • UPX dump on OEP (original entry point) 7 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe
    "C:\Users\Admin\AppData\Local\Temp\4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Local\Temp\ubquq.exe
      "C:\Users\Admin\AppData\Local\Temp\ubquq.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Local\Temp\hogoe.exe
        "C:\Users\Admin\AppData\Local\Temp\hogoe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4632
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:1088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      340B

      MD5

      7dbe6b009533dd951847e225e08a06d5

      SHA1

      bdacb3a08f66d73d4ea73022f69d1865b79918c1

      SHA256

      7db0bdabc9a491ba1db3a5f0a88d712423ea157729bdeaf89fb9d833782b6ac6

      SHA512

      30ec501e4e8bd8989727af2c89dce9f18d7b9e9dbdbbe209628671fdd20a1f27f0b2d3e485e47b24b2eb33d38daa3af2982c39798cba8a31461c6149391ab987

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      052410783081d16f4de6a5f14635dc6c

      SHA1

      fbc9daadc769ea5dc6be8ca0d524299627af6a79

      SHA256

      d76b40e6bb1f2e4d64f4ebf60a39e4bb8189ceeb395c203702b65e13b32e01c9

      SHA512

      8cea471b112b4e4094625859a73f9cc2b5db109b87bc44f69ed20289a91a421135b45d74d378fcced819e7b001faeb19d8fb7ac211dcb80b83a4d48c8c6862a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hogoe.exe
      Filesize

      226KB

      MD5

      b22a62aa188b02b6c18ed928ba14105e

      SHA1

      4512d0bfed17b53c06c6cde6ac15e0b036e265aa

      SHA256

      f9836c22c1375d16eaf130c8d45993f5d9d3136505505be44062f8850d2f4da4

      SHA512

      6e3ea21fb4969e8ecf196a4bc3da16c2c0353647e1e3031332060968f1894564d2dfdf41105135c3a5261cc56bc9643e7a3a92f8e3d01c520260b197039b78b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ubquq.exe
      Filesize

      339KB

      MD5

      1e291fde9659dc2fd137bbda696c436d

      SHA1

      4f66cb238642e6f75b16e482fa1a143ea3c83e57

      SHA256

      e835331bd2381eba77783fb81b844250bb7f9f0c3856752c23f95b69324c478d

      SHA512

      5a2a9480224c47db5eb2a5ef51bc1ea7502a118b9f8603f20a6a2b2a40656039e7d0797496baa4fbbceb5a8ff56ea1a6bf1ce0edcf0ec2b95052a95bd3ca08ac

      Download Submit

    • memory/224-1-0x0000000002F00000-0x0000000002F02000-memory.dmp

      Filesize

      8KB

      Download

    • memory/224-0-0x0000000000250000-0x00000000002D8000-memory.dmp

      Filesize

      544KB

      Download

    • memory/224-17-0x0000000000250000-0x00000000002D8000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2828-20-0x0000000000300000-0x0000000000388000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2828-14-0x00000000007D0000-0x00000000007D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2828-13-0x0000000000300000-0x0000000000388000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2828-37-0x0000000000300000-0x0000000000388000-memory.dmp

      Filesize

      544KB

      Download

    • memory/4632-39-0x0000000000070000-0x0000000000127000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4632-41-0x0000000000070000-0x0000000000127000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4632-42-0x0000000000070000-0x0000000000127000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4632-43-0x0000000000070000-0x0000000000127000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4632-44-0x0000000000070000-0x0000000000127000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4632-45-0x0000000000070000-0x0000000000127000-memory.dmp

      Filesize

      732KB

      Download