Overview

overview

10

Static

static

3

7Y18r(227).exe

windows7-x64

10

7Y18r(227).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7Y18r(227).exe

  • Size

    481KB

  • MD5

    c7f8a3e04135f6437f0e3f05f7a09bf0

  • SHA1

    700034ebd5cfe7aad47bafb26a1ce7e0339f2cc3

  • SHA256

    3c91ffa9919a12fa6aecccedb830fd5147486612617ba999fc652aacd110e284

  • SHA512

    f27f1625ac1072962ddedd61bc5f8927639bc62b0df9fc42c56cde3232fcaece8c946bffc733e65d486cba2b9384a120224a21b3ba7e3372f3aaf682cd60e3bb

  • SSDEEP

    12288:yPd8fBT+RkEulOYyZCnWjXjJsj3C1WW8lTJz:yIp+RFuDyZCnUzJsG1WW8lFz

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7Y18r(227).exe
    "C:\Users\Admin\AppData\Local\Temp\7Y18r(227).exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\sohai.exe
      "C:\Users\Admin\AppData\Local\Temp\sohai.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Local\Temp\ledur.exe
        "C:\Users\Admin\AppData\Local\Temp\ledur.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    232B

    MD5

    d81253fa3499d93ceea31a2c142a7361

    SHA1

    2c78fde787e5ba02de098062056456c726694ff4

    SHA256

    a2957105acdb1a26dc2314c796a717e75efcd49c7bcf5285220744c316bd3cc9

    SHA512

    9e93d717ba8caf7682ac98499261619bc8d3395385cb22e47bb961946e7540ef2aa234221ab07d3f2a6ea7c416dcedcbdfee29a1c5840a507bdda79a884964ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    d371a1e9213b095f028fc46a7af5d804

    SHA1

    ce3a8ff695a26008027d28b87db759d3d9a0d01e

    SHA256

    e93b3bad87f8ced519a6235d138928488be41aa177051272c01d90333a0eac08

    SHA512

    511616b4c732dd5bdb3baa14388c564ca72465ca3e07ac36ae874790b097bb2ffdcf4543e8220b907f8db2784f3a48633fd2df8ffe622df8889345457d390100

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ledur.exe
    Filesize

    190KB

    MD5

    0ec3122447c5c5ac88aaadd3927f7970

    SHA1

    a3c8862c8087a90985b9a9ea7a9063bd5651903d

    SHA256

    648353ac3239c0ea140f1469927e34995940532b0b4627e88e2cdd463f17148c

    SHA512

    7c9f580fcad6a130f9f759342ac59394a03116eedcb54823ff34048030974ca0736b9d7f540b8a0ab148286b779b28a6241557deb7fb88fd2310faf0f962f0d5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sohai.exe
    Filesize

    481KB

    MD5

    1dbe54b72062339ebc1352ba2649b6ba

    SHA1

    43f2a6703c6fedf4b5b904407e07d15c7c977865

    SHA256

    2e859d3e7f39ddb15f4143ebc27b08b9d8dd73e156df5430f639a7d12eef5a8b

    SHA512

    4b0b868f35258111284e853ac7d9cffb865c6fc9d7d3cec19865177e1fba8044dc6f481ae09cd06f1c448067d39020ec3213285a503c5988bfb0a79ca6f5e56b

    Download Submit

  • memory/1352-38-0x00000000032C0000-0x000000000338B000-memory.dmp

    Filesize

    812KB

    Download

  • memory/1352-23-0x0000000000250000-0x00000000002D6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1352-20-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1352-18-0x0000000000250000-0x00000000002D6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1352-41-0x0000000000250000-0x00000000002D6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1640-6-0x0000000002610000-0x0000000002696000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1640-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1640-0-0x00000000003F0000-0x0000000000476000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1640-19-0x00000000003F0000-0x0000000000476000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1720-47-0x0000000001340000-0x000000000140B000-memory.dmp

    Filesize

    812KB

    Download

  • memory/1720-39-0x0000000001340000-0x000000000140B000-memory.dmp

    Filesize

    812KB

    Download

  • memory/1720-43-0x0000000001340000-0x000000000140B000-memory.dmp

    Filesize

    812KB

    Download

  • memory/1720-44-0x0000000001340000-0x000000000140B000-memory.dmp

    Filesize

    812KB

    Download

  • memory/1720-45-0x0000000001340000-0x000000000140B000-memory.dmp

    Filesize

    812KB

    Download

  • memory/1720-46-0x0000000001340000-0x000000000140B000-memory.dmp

    Filesize

    812KB

    Download