Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 15:52

General

  • Target

    890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe

  • Size

    507KB

  • MD5

    536324c02bf4d7cdde41fb4340308a00

  • SHA1

    2dfc4ed8b2e164716c7e10e91f49ac93b3787f50

  • SHA256

    890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633f

  • SHA512

    88fc0cef9ecd31d544df5d8ed11ce20001659edba3c8232600a5d6dbfda0c198e8d0ffcd6efcd8267ed67646cc0a4b719c7005c3ce6fa49faec41cd9f9205e47

  • SSDEEP

    12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo9:3MUv2LAv9AQ1p4dK0

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
    "C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\ipjov.exe
      "C:\Users\Admin\AppData\Local\Temp\ipjov.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\ziuwh.exe
        "C:\Users\Admin\AppData\Local\Temp\ziuwh.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    d940b8bc54d0ba3abac442d2f7d1fcdb

    SHA1

    47e0d5e4566da280d4b36363b8a4b51c0a8a83e4

    SHA256

    df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555

    SHA512

    4bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    fe7ce443befc2eaa86d618664da5253b

    SHA1

    c6d82a8dff0f42b249ff48a63fe47d4b4fd8cd0b

    SHA256

    f57ac5055a41ce6e13bd7acde8465447f66519d524b412105583348e82543a7e

    SHA512

    286bb206f8b6f60101d51ccbc79f0ccf2604ff0ae1f839fe11ac7a065919f72b3c1d8f884ba89fc34e66d951f98db0888dfdbc1d05f53c84ac32f0d9b73c0c2e

  • C:\Users\Admin\AppData\Local\Temp\ipjov.exe

    Filesize

    507KB

    MD5

    aa995e5eefbbac4450133d14e9aa11fd

    SHA1

    62fe8d25a5e2c531480a1d7ff71fd63d26ea92a8

    SHA256

    7db5e0a778644590ea4488cdd9f91651f131dd737622151d2b4eeb6380962d4d

    SHA512

    a7a230b208731873cdfe8cd61707eafd5c24655963ee4fcce48cfb0899cf6b7a0d104d0fc26599b9aa23056278b26ca37eab6566c21e4fa1f9089c1f4215d8b8

  • C:\Users\Admin\AppData\Local\Temp\ziuwh.exe

    Filesize

    172KB

    MD5

    06040250b0854d5050cb7c9e13a7d280

    SHA1

    ffbbc16fe5af41bb0258490f8d554dc12ad5d167

    SHA256

    4fdc6b12411605d84b6a0cf55f6b8baca63bae6670b22db7d6b280418874e1fe

    SHA512

    20069e30ce95e5f76fec24042d4b497572be45549f365b2dc12f40866010ea911bf45b8bd73f5915c6e6db092234a60378c93ab1a9fa80b5288756f49e2d623a

  • memory/2012-27-0x0000000000090000-0x0000000000111000-memory.dmp

    Filesize

    516KB

  • memory/2012-11-0x0000000000090000-0x0000000000111000-memory.dmp

    Filesize

    516KB

  • memory/2012-17-0x0000000000090000-0x0000000000111000-memory.dmp

    Filesize

    516KB

  • memory/2092-26-0x0000000000AC0000-0x0000000000B59000-memory.dmp

    Filesize

    612KB

  • memory/2092-28-0x00000000007D0000-0x00000000007D2000-memory.dmp

    Filesize

    8KB

  • memory/2092-29-0x0000000000AC0000-0x0000000000B59000-memory.dmp

    Filesize

    612KB

  • memory/2092-34-0x00000000007D0000-0x00000000007D2000-memory.dmp

    Filesize

    8KB

  • memory/2092-33-0x0000000000AC0000-0x0000000000B59000-memory.dmp

    Filesize

    612KB

  • memory/2092-35-0x0000000000AC0000-0x0000000000B59000-memory.dmp

    Filesize

    612KB

  • memory/2092-36-0x0000000000AC0000-0x0000000000B59000-memory.dmp

    Filesize

    612KB

  • memory/2092-37-0x0000000000AC0000-0x0000000000B59000-memory.dmp

    Filesize

    612KB

  • memory/2092-38-0x0000000000AC0000-0x0000000000B59000-memory.dmp

    Filesize

    612KB

  • memory/2412-0-0x0000000000ED0000-0x0000000000F51000-memory.dmp

    Filesize

    516KB

  • memory/2412-14-0x0000000000ED0000-0x0000000000F51000-memory.dmp

    Filesize

    516KB