Overview

overview

10

Static

static

10

d84041eca0...c0.exe

windows7-x64

10

d84041eca0...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 03:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe

  • Size

    368KB

  • MD5

    b725608c76d7a01dc966c2707604e459

  • SHA1

    5e31cf379c12e2f3582fb4df5ade53ab660af3ed

  • SHA256

    d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0

  • SHA512

    14e17966aa916da982ffe5ac71857aea1a0f78715b94d9a9926645f094856647b04a6b312d2292702dc95c466f3c3723854677bce1b579a841d137ec26447ade

  • SSDEEP

    6144:1o3whi+1Py3V0a24kOn+Sr72iyjmhuKtUYiw52hVOcvBRMHkWYHpf:YKf1PyKa2anKjm3OYZ2hocvHt

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe
    "C:\Users\Admin\AppData\Local\Temp\d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\mizuz.exe
      "C:\Users\Admin\AppData\Local\Temp\mizuz.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Users\Admin\AppData\Local\Temp\uhser.exe
        "C:\Users\Admin\AppData\Local\Temp\uhser.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:1968
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4472,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:8
      1⤵
        PID:4680

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
        Filesize

        340B

        MD5

        d8d32f009fabd581949daf20760a0771

        SHA1

        d7866caf29c9ae663fc25df9a27cd78ed54427ed

        SHA256

        418bcf5544a11af04be49a29d2828a16b5dac2f9766db1c17e9cf3a3f6d327f8

        SHA512

        a702b075baa7f65e1e8ef0ed12099e4a5b872b182eb6720be33fb94c59cbf2d47ae40bad514eebf222fe7a353e938ee32a4321c7fc4e918c900167da3f65a31a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
        Filesize

        512B

        MD5

        e117c654fd68206253e37d473ca22e22

        SHA1

        eb4507381255b339388f4e5863073b32572707f7

        SHA256

        e4f230110d5df338764b8eb1fe47a80c1ab7f9b364cb2cc1cc7bab4d51b10e3b

        SHA512

        b7e0b01ae150e9cb0cef6344721e5a2b25bdee9ae5f412253ef2ac3a2534853df880efe495c8c2326f2d98322260600dca230bc67745ae1f02df2af2e7becb83

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\mizuz.exe
        Filesize

        368KB

        MD5

        1012dbd917ccfcace6a8b818d34af88b

        SHA1

        6aa26027ca6925446aa669ef51c6ebf4e8a13018

        SHA256

        375c0aed34ed1129a41eb65f5db05d78c55f5cc05dfc93597b372d22fac94c8e

        SHA512

        83a437bf5986775506c2756df37eefac69b5f781fd83d9021a519e98a3412818b23c7a87cdb139a2def44f1a5347c6097cfddc72846eae118d3fb87e188362fb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\uhser.exe
        Filesize

        208KB

        MD5

        88bf76cfa6c8a691a702385828c9d2c1

        SHA1

        b23d7f6eb493037b634f4a53de684fcf89a4b1fc

        SHA256

        044c7df9b621ac2d516d0818175ec75a680e5f21f5837ae4dc08ad9028399e24

        SHA512

        3b698962ea38c22fcb54ce726f62ee8b14b6bde29c789a1f1dee4d301a0463cccb4c4cb08e417f2eb4fc5757cd6bf3b3f07caaa4335ad58512c27644df0fee09

        Download Submit
      • memory/3220-19-0x0000000000070000-0x00000000000D2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3220-30-0x0000000000070000-0x00000000000D2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3220-13-0x0000000000070000-0x00000000000D2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3220-12-0x0000000000070000-0x00000000000D2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3628-0-0x0000000000AC0000-0x0000000000B22000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3628-1-0x0000000000AC0000-0x0000000000B22000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3628-16-0x0000000000AC0000-0x0000000000B22000-memory.dmp
        Filesize

        392KB

        Download
      • memory/4300-29-0x0000000000F00000-0x0000000000F02000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4300-28-0x0000000000780000-0x0000000000833000-memory.dmp
        Filesize

        716KB

        Download
      • memory/4300-32-0x0000000000780000-0x0000000000833000-memory.dmp
        Filesize

        716KB

        Download
      • memory/4300-33-0x0000000000780000-0x0000000000833000-memory.dmp
        Filesize

        716KB

        Download
      • memory/4300-34-0x0000000000780000-0x0000000000833000-memory.dmp
        Filesize

        716KB

        Download
      • memory/4300-35-0x0000000000780000-0x0000000000833000-memory.dmp
        Filesize

        716KB

        Download
      • memory/4300-36-0x0000000000780000-0x0000000000833000-memory.dmp
        Filesize

        716KB

        Download