Overview

overview

10

Static

static

10

53f590f0c7...fe.exe

windows7-x64

10

53f590f0c7...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe

  • Size

    505KB

  • MD5

    e82dc2f700675d613eb9d3539e110979

  • SHA1

    58a1c5e1c2ab44aef6e7a20e87b929c997e4ef8b

  • SHA256

    53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe

  • SHA512

    f489519b78f3242951a83c08133db7dd752316ae520b8833cd47f9170ef6d92c9e8902a49bbad556311fa74d9114994ae3fcca5d6b2720f775ef8b346ac3b601

  • SSDEEP

    12288:6uGtVfjUBSaoINAHT19UWvMucSlFgIOguNvP/6x5:6bt2/NA3UWUuBlFLUvax5

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe
    "C:\Users\Admin\AppData\Local\Temp\53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\bakid.exe
      "C:\Users\Admin\AppData\Local\Temp\bakid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Users\Admin\AppData\Local\Temp\jylyx.exe
        "C:\Users\Admin\AppData\Local\Temp\jylyx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:2636
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2088

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
        Filesize

        340B

        MD5

        d0025df6a661a237ab2a386a04300dd9

        SHA1

        c6cd0b9269551595fee1082d6fb70613c071f4df

        SHA256

        8acc6487d10a6c4d45ec607e4a0db85c00ed7314aaed7a0fd01db409420d1ecf

        SHA512

        f90e63f47dceaa85ffffb0e42fd44fe347dd4fe2e33ed3e3b7b3d4a485f0aaf7df06ac21f8921cdd4d5e249d68cc0f0fc4303a282b1505d2eb036e41b9d23ac3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bakid.exe
        Filesize

        505KB

        MD5

        a619534c532e3adb1bf58bd855bec5a3

        SHA1

        0056d6f191b37a454c2e37aa4bf377e03c917f56

        SHA256

        e5250fc54569fc7f959dee0f8ed270c0571ace3708bf7a42a883babdda9c9e35

        SHA512

        b3a493229787a64bd64449851e9a21ad47bcc2d99029b513b6ab84c368d74e3a755862418b9ac21d5be21d1eb1736a9b02ff62968a3a903d8c6cdec02186aa2e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
        Filesize

        512B

        MD5

        6fdb837d951eaef6f97bf3043cddd001

        SHA1

        696d9b7c2d88fd2e2cb2f8d6bb90b0839aa03599

        SHA256

        f9f2b7dbe515d375b8639a9f8b9eb8ea4fbe8e39c19ba6e323977cd0044f8e42

        SHA512

        0bac0cd7373eee76bf6de35126395fbdf15ddd08b433ca2abfbb0e566af137b238fe1de88d2ec6b53e14792e4b6f6d36549d8300d4cd6052c3caaf34b169743c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jylyx.exe
        Filesize

        186KB

        MD5

        0bdb23739c9c2a9b6559b451c6f90a66

        SHA1

        be0107b031d0f984badcd83bd30ab6b129489efa

        SHA256

        7eeaa098150c5e9ad4422cad9b31450d11d4f6ab8dac4a7997c5259b607b8f5a

        SHA512

        50249759080303be1d06e84fb9b26bb556202e151463e85daf672a0e98f7319e37bae693258783c0ca5b0b4073f2998ce02b24da635bacb7b2201afa34ebb088

        Download Submit

      • memory/2356-0-0x0000000000400000-0x0000000000485000-memory.dmp

        Filesize

        532KB

        Download

      • memory/2356-13-0x0000000000400000-0x0000000000485000-memory.dmp

        Filesize

        532KB

        Download

      • memory/3376-25-0x0000000000400000-0x0000000000485000-memory.dmp

        Filesize

        532KB

        Download

      • memory/4672-26-0x0000000000F70000-0x0000000000F71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4672-27-0x00000000001C0000-0x0000000000256000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4672-24-0x00000000001C0000-0x0000000000256000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4672-31-0x00000000001C0000-0x0000000000256000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4672-32-0x00000000001C0000-0x0000000000256000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4672-33-0x0000000000F70000-0x0000000000F71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4672-34-0x00000000001C0000-0x0000000000256000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4672-35-0x00000000001C0000-0x0000000000256000-memory.dmp

        Filesize

        600KB

        Download