Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 03:49

General

  • Target

    d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe

  • Size

    332KB

  • MD5

    cfd3c189d1f86049e9a336e49c8d22e3

  • SHA1

    f6acb447f1fbc3b86970ad8e8432a02e47ad3308

  • SHA256

    d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2

  • SHA512

    c450555fc0d22442361bd32c513ae9bef047709dd89b07394e82568a907182f8d522bb4c498b7eb1d642c2e823bc3799ccec3b2a3b60ca5f9f38c995ba50094b

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66cif

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe
    "C:\Users\Admin\AppData\Local\Temp\d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Admin\AppData\Local\Temp\hefuf.exe
      "C:\Users\Admin\AppData\Local\Temp\hefuf.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\jynes.exe
        "C:\Users\Admin\AppData\Local\Temp\jynes.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    13fdc7532858d3efc012dd845602b5c0

    SHA1

    855cd250184f9f3e71c9358f6f1b11ce8aa6aa92

    SHA256

    fbafe6c113a34d13660efd70dd4133f1e53faed86b7dc7b460048b251a9efd14

    SHA512

    1e0e71d1a29e7f678e22933bd965d3eed362c0d91da0a81f91442ab60fd7fc20a4cfa8d781b7d2f3bf8dbee03d43afce9d52b61790dce65995941a435f5962dc

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    d496d03aabe330076e1d9929cba54297

    SHA1

    2d135c8115e53c8dc5dd2cde6367f39e561a2505

    SHA256

    64ac4844e1d1a5ad9d5a4101e9e6a2a3b79ca9f984e56fe7e2169dbe00c5171f

    SHA512

    23f4ba9d0bc0dd4d2197c8745d863e7eef8bbc31a1d92ad3eebc3657e46d03269eee329bb86f08c69161d1d5ea864e0424c37092fdf75011018b8b72568333e1

  • C:\Users\Admin\AppData\Local\Temp\hefuf.exe

    Filesize

    332KB

    MD5

    52bfd6709817e0a7b15394ae04f8fe8e

    SHA1

    5108272c5094816700441144d14094ab9c9622af

    SHA256

    3ed37a1d6e54d5902d3257fab1c6347ad7da4411f306c55d54f016f718adb7b2

    SHA512

    f45669818a46972b5084aa53ed7f03e90f3d147d699ff8a35399a84d98d52fcc5bfc2797b55c976982e18a33c821a220a767babd8daa0de8339cefb3490aa3c7

  • C:\Users\Admin\AppData\Local\Temp\jynes.exe

    Filesize

    172KB

    MD5

    3a20897fc2c9ca14dd93170f9c222312

    SHA1

    764a598cde4b2fdf1ac7ad5a049d6d5d4b1c7d87

    SHA256

    1069a80be2e82e52ebf797d4ac044e6ec37454ac1bb902deeccfe880e1a191ce

    SHA512

    3cf8da0d2c69889e5b2b77714dbd3adccd24e8a585e094658e18c20aee43d6dacc741e864486a1580cfee23770c35a7d4538f0ba6fb1523aaf802e5eca6dd91d

  • memory/680-1-0x0000000000850000-0x0000000000851000-memory.dmp

    Filesize

    4KB

  • memory/680-0-0x00000000007B0000-0x0000000000831000-memory.dmp

    Filesize

    516KB

  • memory/680-16-0x00000000007B0000-0x0000000000831000-memory.dmp

    Filesize

    516KB

  • memory/2768-35-0x00000000005B0000-0x0000000000649000-memory.dmp

    Filesize

    612KB

  • memory/2768-39-0x00000000005B0000-0x0000000000649000-memory.dmp

    Filesize

    612KB

  • memory/2768-37-0x0000000000F00000-0x0000000000F02000-memory.dmp

    Filesize

    8KB

  • memory/2768-45-0x0000000000F00000-0x0000000000F02000-memory.dmp

    Filesize

    8KB

  • memory/2768-44-0x00000000005B0000-0x0000000000649000-memory.dmp

    Filesize

    612KB

  • memory/2768-46-0x00000000005B0000-0x0000000000649000-memory.dmp

    Filesize

    612KB

  • memory/2768-47-0x00000000005B0000-0x0000000000649000-memory.dmp

    Filesize

    612KB

  • memory/2768-48-0x00000000005B0000-0x0000000000649000-memory.dmp

    Filesize

    612KB

  • memory/2768-49-0x00000000005B0000-0x0000000000649000-memory.dmp

    Filesize

    612KB

  • memory/3064-19-0x0000000000B10000-0x0000000000B91000-memory.dmp

    Filesize

    516KB

  • memory/3064-11-0x0000000000B10000-0x0000000000B91000-memory.dmp

    Filesize

    516KB

  • memory/3064-14-0x0000000000400000-0x0000000000401000-memory.dmp

    Filesize

    4KB

  • memory/3064-42-0x0000000000B10000-0x0000000000B91000-memory.dmp

    Filesize

    516KB