Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-10-2024 03:22
General
-
Target
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
-
Size
334KB
-
MD5
d06332b00b98add142bc2aac5c94a0f2
-
SHA1
86258a7f35b74d6c62f5e2ae7ec05cacfb105012
-
SHA256
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c
-
SHA512
7a18fa80b1cae818a595adf9be937562e8148ca189b8ee785fef5a24a56f2ecf3641ca5a2096377e88a8ed8248a691c0b4bf7a93fe9cb13c1c997393b8645373
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYp:vHW138/iXWlK885rKlGSekcj66ciE
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe"C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\giwir.exe"C:\Users\Admin\AppData\Local\Temp\giwir.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xytey.exe"C:\Users\Admin\AppData\Local\Temp\xytey.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD515820bc0f472e16c48367712bd45bc8a
SHA168b81be582dfe6da08dd2848db5309b4174e628f
SHA256bb610dce6841a5444a54aaecea848fe5a3df3d83191371a57a844a87acb02fb1
SHA51242643673844047646f4434a910876adf9b44b053ea6875e7df557bbbfcfe3d54900bc55ed37a7b42b3cfc7d0e1e5429fc4ddee766737f8c53417cc5a7b528bb8
-
Filesize
334KB
MD5ae3aca5dc376e3a0ff0926ebcc520145
SHA10c49c85042f354381a30d3e0794aa208e99127fd
SHA2568276f0360e681865308b465c10384f7442f5306f133719cc1fe7ac3e16a5d5b2
SHA5125843ed20b3c0d9e8f21841a6c3b6f73503d680d7969332f713a0a35a3ad4164528bec72a7191ce1e32c5b164626807b8ad96c526810304e5694dde53cc9bf0a5
-
Filesize
512B
MD59f9cbb013f62d3bdfada64c6c6069abf
SHA1ce00e7b20340b01810f62da7ae2c96db2525d265
SHA2564f0265e981b7152d88fdfaa0a5b62e01a77eb5501533eafc2b3eacc5fe2af829
SHA5123c09f79336737d1c457ba58d8f39656514dc03768be86dc7efb7d64fd0270cd44282a557bf76dfb9ed1f33f67828f52780675e5c7c9ff4e09430c0392762f2d7
-
Filesize
172KB
MD59923d09a08e3fada87618dd76a352a2e
SHA16703433be11ff3435f301bb08f91a20a17331ab1
SHA256767d9fd1417d647202d727a6a9769d6efc792e80d9feee41efed7032c8f973fc
SHA512b8e7e8ccc6f0172d02ca2e469eab87ddf27f9a000b8b24609dccaa3f5a3f0c377f90e493c68d53e6923acb3489e7271b30b333ab8b1b548b3cb27c84e43a6d7f
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB