Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 18:58

General

  • Target

    12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe

  • Size

    343KB

  • MD5

    5cf93f15082a5e5b4ac032d42179d36a

  • SHA1

    ff796054fc055bad3f24e65cdf41a637691110ff

  • SHA256

    12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1

  • SHA512

    8a26411a95ce1a17119ea3d99132e6017f95798eb8f82982366021ae9cadcfef8f2f938b11e73e4529c38872d9bc300b20f03c5b8c145b6c910547403ddd38c3

  • SSDEEP

    6144:Nd7rpL43btmQ58Z27zw39gY2FeZhrL8Awb:X7dL4AZ0U9gY2FhAy

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
    "C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Local\Temp\bowuw.exe
      "C:\Users\Admin\AppData\Local\Temp\bowuw.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Users\Admin\AppData\Local\Temp\veovce.exe
        "C:\Users\Admin\AppData\Local\Temp\veovce.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\AppData\Local\Temp\qohuy.exe
          "C:\Users\Admin\AppData\Local\Temp\qohuy.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2524
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

    Filesize

    340B

    MD5

    770cdab69a28fa9a1cf16240d51f758a

    SHA1

    164154361f4ccaca43687c1a1f0d9999383ebe4a

    SHA256

    fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310

    SHA512

    225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat

    Filesize

    224B

    MD5

    57bbf78f17b41f19b8de2b566d15b842

    SHA1

    eba9fcae6d5ddd15d394a3eb9669569f7cd9fb89

    SHA256

    606faa26d741fb44c7bfecf733c3bd5eee9430cae2bb37cb223a32c3da1cb9f3

    SHA512

    0cd6e7c29acdd73afe4d3ba223f9d329d16a19d01774a5ebbf41ee38ec4f29c0a5314f04d1d7120ab0621a2d144292a108868e77b498c2ffcc026ae57b211c99

  • C:\Users\Admin\AppData\Local\Temp\bowuw.exe

    Filesize

    343KB

    MD5

    96f89f8e32e859d09815daf6994ec155

    SHA1

    42f51d1b677f2e17df7f6c2f7c123ba40d5355d8

    SHA256

    0f6c49502a84a75ad7885b0ed4bc776695905a2dab4e7d6e3cbc3cf76c9e0e48

    SHA512

    6cfdd9844ac5061aa10cf8b301a02ce8c1e2e38c4e83e3d013be848e23f414ba341444ac34c68adbf101349561788ac7fc2a14a1683784e25ce789c78456bd92

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    28f1b8a0befd4bfda4e57ea27f84272c

    SHA1

    d1fb9e812c4f9ddbe00433898d5cbb4a2b4e01e6

    SHA256

    8560b939c1f554f4c1e099143f1c7c4cdbac8a6cdbd714d743610ac2543da282

    SHA512

    3108f40caed36ecd1fb37fa8289856a50247ea9af4511ec109aefc7b28ef2f67d2971286c51b925ea6b18c6ad4b945e30f183d1541e32c8fdf614fad86690827

  • C:\Users\Admin\AppData\Local\Temp\qohuy.exe

    Filesize

    136KB

    MD5

    b0a8a1829adc67838d2524944c93f722

    SHA1

    c47d1212d9973a83d707dc43e96b96f65420dd02

    SHA256

    a84e17a1e7dd81f657581f6b844ed83162e828d39ca7a9e12702b1a35d7d76b6

    SHA512

    9743ba4e68940eac91e6b31a61c11f5b3f1cb96dc8aa63825d94a9e434ccad4e076d1c7c9115ffb76fc2769bb2f7e335aff8ae2588858d73f0a34553630c0627

  • memory/2524-45-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-41-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-50-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-49-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-38-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-39-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-48-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-47-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-40-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2524-46-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

    Filesize

    560KB

  • memory/2792-0-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2792-14-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2872-43-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2872-25-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2872-26-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4572-24-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB