Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 23:13

General

  • Target

    71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe

  • Size

    333KB

  • MD5

    4db07e5916f1df61e29be73c51e152dd

  • SHA1

    f4d13b63c57e15491cedab6425982c21950605de

  • SHA256

    71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b

  • SHA512

    dc238854a7cdc6161084b09c0e6415a8aaf7426c138f1e99c5d5174ea47488c0f28fa378c238d0bfb8cc91b1f5ba30b5664e399b12f1bd1a995941a190bb2a57

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYg:vHW138/iXWlK885rKlGSekcj66ciB

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
    "C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\hitoc.exe
      "C:\Users\Admin\AppData\Local\Temp\hitoc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\weybw.exe
        "C:\Users\Admin\AppData\Local\Temp\weybw.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    061e1a7b6dd73689632ea9992e4df62f

    SHA1

    e30e7d684cb4a1d70e86c807f21d2a75c2bd4650

    SHA256

    7d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c

    SHA512

    62e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    bc419d2d468f8008aa9d944c24f8aad9

    SHA1

    e47aa37b355deb18941c4cabbbf81602a2ceb629

    SHA256

    8ecbf27be9a3b09041ffa3f7fb4a013c327daee37b251c2d54c3580b56556a19

    SHA512

    54f1533731d355e1ddd5cbd2aa83b3941fd97ab8be0e42e251a79f13051baab2c6c7a80fb43825c192e1a835bec5076cb72940afa4f2a1983893a2ea8fc3075a

  • C:\Users\Admin\AppData\Local\Temp\hitoc.exe

    Filesize

    333KB

    MD5

    9ab6980564e7d735e8e1b28856aca443

    SHA1

    4bf9d6777a47adbefc60b71c2c6786ad4babfd0d

    SHA256

    08d0844c74dc10be43c22853d09f68d05b02e603e6c244ecf5fa6af6a2a33a5a

    SHA512

    ea3747a81d18ff6da6faf8897f97d8c077dce954a8adbf3228abf3fd20d53b6210d9d37307441aabc052971e4adb5c829215f62992275801060eb31cee9d94b3

  • C:\Users\Admin\AppData\Local\Temp\weybw.exe

    Filesize

    172KB

    MD5

    48a5bf97c43bef50a63c2e6a572d6a37

    SHA1

    c60dc436e5773857bba41ade8e12cb77b3e8d946

    SHA256

    24f798f430539d5d34c28ec655c4cd5d71c77ef09bc4a8e907614857dd9df194

    SHA512

    df209b8c945d7cc72588d2777676596755f2809caa20e4bb26f97b24448ee7ab40f4ec8e8b7e79e4bff08f84460350ee417d6d344de8ec8984479b7fa19c3169

  • memory/1520-19-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

  • memory/1520-43-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

  • memory/1520-14-0x0000000001460000-0x0000000001461000-memory.dmp

    Filesize

    4KB

  • memory/1520-13-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

  • memory/1520-20-0x0000000001460000-0x0000000001461000-memory.dmp

    Filesize

    4KB

  • memory/2204-16-0x00000000001A0000-0x0000000000221000-memory.dmp

    Filesize

    516KB

  • memory/2204-0-0x00000000001A0000-0x0000000000221000-memory.dmp

    Filesize

    516KB

  • memory/2204-1-0x00000000010D0000-0x00000000010D1000-memory.dmp

    Filesize

    4KB

  • memory/5052-36-0x0000000000C10000-0x0000000000CA9000-memory.dmp

    Filesize

    612KB

  • memory/5052-38-0x0000000000C10000-0x0000000000CA9000-memory.dmp

    Filesize

    612KB

  • memory/5052-42-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

    Filesize

    8KB

  • memory/5052-45-0x0000000000C10000-0x0000000000CA9000-memory.dmp

    Filesize

    612KB

  • memory/5052-46-0x0000000000C10000-0x0000000000CA9000-memory.dmp

    Filesize

    612KB

  • memory/5052-47-0x0000000000C10000-0x0000000000CA9000-memory.dmp

    Filesize

    612KB

  • memory/5052-48-0x0000000000C10000-0x0000000000CA9000-memory.dmp

    Filesize

    612KB

  • memory/5052-49-0x0000000000C10000-0x0000000000CA9000-memory.dmp

    Filesize

    612KB