Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 21:21

General

  • Target

    447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe

  • Size

    332KB

  • MD5

    7c8e99d94bffc734270dd6f1e0dc81b3

  • SHA1

    9df80907ffbb9c337b2730ba5c4cd403e71becd2

  • SHA256

    447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e

  • SHA512

    64b04f18aa9839e512f6db38d31ebcf5ca99303fd0d292bc65932f653236d4318708d7b3b4ae0cfa8b587e3e044055885024125327a3d5fc0db69f8137dad9ec

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66ciX

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe
    "C:\Users\Admin\AppData\Local\Temp\447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Users\Admin\AppData\Local\Temp\towub.exe
      "C:\Users\Admin\AppData\Local\Temp\towub.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Users\Admin\AppData\Local\Temp\ziozc.exe
        "C:\Users\Admin\AppData\Local\Temp\ziozc.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2744
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    e65a9376fe333282727b25a76cd66ec5

    SHA1

    fe21dae1507df833f84a43b79cf569db749e12cd

    SHA256

    199654939974e220efd54a0df3211958e37625122ac8d38e855d1f0d7fef5fe6

    SHA512

    1ce057075d2ebd36010d9586ac857790c86a62e683b1cda193a8f6f1c670c71c0ff25388b923c472343a0cd1e80bf248227c36e5d9f12acb332e462734cedf6d

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    69e4ab713c4ae2a8b629b7903f4d980a

    SHA1

    33aa22878130f63919b840ed0aceec22f2e31036

    SHA256

    d97e336d64f2f6218712691baec8138eae7cfee199278fe55d9fe20fd825213a

    SHA512

    ef6dd537a67bbfbb9d5b8e410c8693258c95a76513048d64260893944678c63557bfe5a92bb988ad7a27b44bd9a73d111fcfb683a1f0aa21c788c65913baaa0c

  • C:\Users\Admin\AppData\Local\Temp\towub.exe

    Filesize

    332KB

    MD5

    d76193a4dc820c925355a04069e71e54

    SHA1

    4343a43b4d19b134b41c6d0c341c6e556fe0f505

    SHA256

    5606d20d2c8ab4611f5b27593dddc9311ad37d3aae63afa9a45b9b0884ebd135

    SHA512

    5fea2111af98fa4fd1c266535e3743739b46f9901d0a447b54671fd19d07f2364d6a05b02830c5f5b5392e81d0f2a3e5243e6ba4e7f7d0d536f28fdc85352b8d

  • C:\Users\Admin\AppData\Local\Temp\ziozc.exe

    Filesize

    172KB

    MD5

    317ca313cb353a11fe97987e2869cfe2

    SHA1

    deefce944bf3cc4c169d9a46cff3e2191693204b

    SHA256

    d76e4b5a22b7260af2e09321b20c9f02e4744e5eb75c52079e247a99edeabf10

    SHA512

    adc64b330082c3abf76386473a89e2643fe7361ddc0c297b881421b23de4e451946836665597949c94fae4e757dbb1938f4c8733381ac60759dfed5a5e13d610

  • memory/2744-46-0x0000000000A30000-0x0000000000A32000-memory.dmp

    Filesize

    8KB

  • memory/2744-43-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/2744-51-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/2744-50-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/2744-49-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/2744-48-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/2744-47-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/2744-40-0x0000000000A30000-0x0000000000A32000-memory.dmp

    Filesize

    8KB

  • memory/2744-41-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/3108-21-0x0000000001180000-0x0000000001181000-memory.dmp

    Filesize

    4KB

  • memory/3108-39-0x0000000000430000-0x00000000004B1000-memory.dmp

    Filesize

    516KB

  • memory/3108-20-0x0000000000430000-0x00000000004B1000-memory.dmp

    Filesize

    516KB

  • memory/3108-11-0x0000000000430000-0x00000000004B1000-memory.dmp

    Filesize

    516KB

  • memory/3108-14-0x0000000001180000-0x0000000001181000-memory.dmp

    Filesize

    4KB

  • memory/4416-0-0x0000000000B00000-0x0000000000B81000-memory.dmp

    Filesize

    516KB

  • memory/4416-1-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

    Filesize

    4KB

  • memory/4416-17-0x0000000000B00000-0x0000000000B81000-memory.dmp

    Filesize

    516KB