Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 16:19

General

  • Target

    39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe

  • Size

    334KB

  • MD5

    bb5fc5011c9188671ce2e87259ed4060

  • SHA1

    5cab1ee050c2ae18e1a0202652ae221a5c0a7865

  • SHA256

    39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06

  • SHA512

    f77c4f71916b43a5b6fb38e129cfd8d7873a9dea0bd602dd3e5a3326deb0d0f2910529dca42fbfcee4ed802d738e650ba6eb50b46aba60251bb3428e06de67b1

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY4:vHW138/iXWlK885rKlGSekcj66cip

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe
    "C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\rykyb.exe
      "C:\Users\Admin\AppData\Local\Temp\rykyb.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Users\Admin\AppData\Local\Temp\wyfop.exe
        "C:\Users\Admin\AppData\Local\Temp\wyfop.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4784
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    430e98dab996ed2cb464865e806b08a3

    SHA1

    e00ca96407b820ffd7c622ecd23ee9da27c20a4a

    SHA256

    2fe43b6833cdbee5978204411cb477658513bb1a7db9f043bb19d1e2036ebc40

    SHA512

    537057245f4f43db2089a90bf63f4fd2e4ddf759c8efc6b6c942e55892dcde284904a39abfef55b2353cc22079f1d8791f305cf55a445d55f28e442b20fac5f3

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    e989d87a66ef2a69056d1c9a32df0040

    SHA1

    cfb965201c6847f87c63805f0c6f4e9a5d025985

    SHA256

    f88fe34c6a7036fe244d8e0650f7c2e6c8791586a305fb61982dbbe8c575e66c

    SHA512

    7394b6b1c4ab496c79be754bd018f31ca9baf233d87ac0cdfee1e5d650732ea0a902290bf30ffb5228f1ce7187dcbaee2e46511d03edd6da33270df34c5e6dda

  • C:\Users\Admin\AppData\Local\Temp\rykyb.exe

    Filesize

    334KB

    MD5

    d509bd65b98a43019139f2d2d2b7de3c

    SHA1

    8644b9208b1602bc5d59f4c90fe9fff436b0451f

    SHA256

    468a8282ec4d2bcf6ee2c8507a8eb5d99fad11211752faee9a07585f79572893

    SHA512

    8f958d2bdb34b04fb05530de4743c12f7bb7e1e4c76bda9bff240c9b6bbca5fc8b6cc9956e65413f8c971d08c74955ffab1e6b6a70e22f990eb0859206c06ac6

  • C:\Users\Admin\AppData\Local\Temp\wyfop.exe

    Filesize

    172KB

    MD5

    d69ab04fa2d8f73775c360ac3fb70848

    SHA1

    15a5850ff9b9b75f7f13c3a5ba0142aeb36bee7b

    SHA256

    da35bc28f55dda903ed40260006a0781ff078e00e638cdb2ba0d256ecb8dfe35

    SHA512

    8dfb2838e0cdba6ec3497c415885d144ec61f035f400cd8e14e44be3bc143eb48c1aa17d3a3e96fb10e7522d48350f9e61053d214eb8fe57ec248b081f5f7742

  • memory/536-20-0x0000000000D80000-0x0000000000E01000-memory.dmp

    Filesize

    516KB

  • memory/536-14-0x0000000000D80000-0x0000000000E01000-memory.dmp

    Filesize

    516KB

  • memory/536-11-0x0000000000D80000-0x0000000000E01000-memory.dmp

    Filesize

    516KB

  • memory/536-39-0x0000000000D80000-0x0000000000E01000-memory.dmp

    Filesize

    516KB

  • memory/3452-17-0x00000000008C0000-0x0000000000941000-memory.dmp

    Filesize

    516KB

  • memory/3452-0-0x00000000008C0000-0x0000000000941000-memory.dmp

    Filesize

    516KB

  • memory/3452-1-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

  • memory/4784-37-0x0000000000F30000-0x0000000000FC9000-memory.dmp

    Filesize

    612KB

  • memory/4784-40-0x0000000000F30000-0x0000000000FC9000-memory.dmp

    Filesize

    612KB

  • memory/4784-38-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

    Filesize

    8KB

  • memory/4784-45-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

    Filesize

    8KB

  • memory/4784-44-0x0000000000F30000-0x0000000000FC9000-memory.dmp

    Filesize

    612KB

  • memory/4784-46-0x0000000000F30000-0x0000000000FC9000-memory.dmp

    Filesize

    612KB