Analysis

  • max time kernel
    120s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 01:53

General

  • Target

    f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe

  • Size

    332KB

  • MD5

    fdf640909e60daee1293b1321f8f3b80

  • SHA1

    4aaffdacf5e5e882abdc8f73e391696d2340369e

  • SHA256

    f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7d

  • SHA512

    0818753d6a93131720f733917a24fc011b095c9d7f27b58f58a9aa3d2b6ace02c4f928952de04c4a153fc1873466179c30def021bcbb8c84f2f6396a7dbda464

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYk:vHW138/iXWlK885rKlGSekcj66ci1

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe
    "C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\sigui.exe
      "C:\Users\Admin\AppData\Local\Temp\sigui.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Users\Admin\AppData\Local\Temp\xerer.exe
        "C:\Users\Admin\AppData\Local\Temp\xerer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3388
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    9aa697a51fdea1d66b8c6ae525f43c07

    SHA1

    28b8563321bae665b0b7cc1b67bb64a2f00949ad

    SHA256

    8c1227dd84ae0ba73ba27efe08233beb3617c909e014ef6a08e0180664bb3247

    SHA512

    fd3e84e4bd4ca2e5e5c5a47034f96c4ebe0e10e0f1e6ac1e2f2551e3d6e6e47f491e8b6f4728ec48cd468c41fa64b89ab33890c22a9f2ab401437ca0ff4c135c

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    d5bdb0d99a15f96e8b89de97fd952cf3

    SHA1

    5f7b78bd1d8cbf9b190584dcfd49b887fd2ee672

    SHA256

    0b5bbf40e1c6ccfc12aead3baa7c2438acb7127a12998733015cb5436840864d

    SHA512

    b3b8293589de85aac0dfe27646f6b450031425a354c8ec3b6af6760e37add1328545703e031d7736a5cb5c9453b616833864059685939e5148f8e4442aedca9c

  • C:\Users\Admin\AppData\Local\Temp\sigui.exe

    Filesize

    332KB

    MD5

    1dbd323238d3fb7df27e9d08a2664668

    SHA1

    a0b89a3e74ed254a4d8c2bc1dce3c7b29a583045

    SHA256

    082a993ec593c2f8e78f3af3261b3f0d4d2b38fc318d7a781f9477f3295056a4

    SHA512

    a46aba88e662f20d9ef1171b665535ea9b2e9370a1b8521ab1e087495ef1a82f00a587de731cfed9f22ee1ecfa832d350fa1b2a5778b0786fcb7bd057869e2f4

  • C:\Users\Admin\AppData\Local\Temp\xerer.exe

    Filesize

    172KB

    MD5

    b4eedfa3baa4680c157eaa7999eda368

    SHA1

    74e7df654780045144055c1ae3bae192edc06f8a

    SHA256

    71547e24af536c5729f8e2a5fad184b870608a89a2f4dc48393230b6439ef66c

    SHA512

    045a06088cc283dd0f63705b44202d92643b97d19195b08531bdb2a642f2db2afd0e12dcdf3c156fe4378f2f01379ec221172236b72e9cf665091b51c9cabedc

  • memory/2368-1-0x0000000001030000-0x0000000001031000-memory.dmp

    Filesize

    4KB

  • memory/2368-0-0x0000000000440000-0x00000000004C1000-memory.dmp

    Filesize

    516KB

  • memory/2368-16-0x0000000000440000-0x00000000004C1000-memory.dmp

    Filesize

    516KB

  • memory/3388-42-0x0000000000260000-0x0000000000262000-memory.dmp

    Filesize

    8KB

  • memory/3388-45-0x00000000002E0000-0x0000000000379000-memory.dmp

    Filesize

    612KB

  • memory/3388-44-0x00000000002E0000-0x0000000000379000-memory.dmp

    Filesize

    612KB

  • memory/3388-36-0x00000000002E0000-0x0000000000379000-memory.dmp

    Filesize

    612KB

  • memory/3388-39-0x00000000002E0000-0x0000000000379000-memory.dmp

    Filesize

    612KB

  • memory/4544-13-0x0000000000500000-0x0000000000581000-memory.dmp

    Filesize

    516KB

  • memory/4544-38-0x0000000000500000-0x0000000000581000-memory.dmp

    Filesize

    516KB

  • memory/4544-19-0x0000000000500000-0x0000000000581000-memory.dmp

    Filesize

    516KB

  • memory/4544-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB