Analysis

  • max time kernel
    119s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 04:34

General

  • Target

    d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe

  • Size

    333KB

  • MD5

    e672c23daa4d422f768e309c193e0770

  • SHA1

    e1b7ee3969e6c438e9d6480740f0c0375219c105

  • SHA256

    d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeeba

  • SHA512

    bb7bd98a81cc6624471afedc578e3e4690c03e01376a9eadb4fad86a9e3a494cd35b686a5750db96e876956fb84a35be33e6334d89f565e9505227c851af689c

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr:vHW138/iXWlK885rKlGSekcj66ciK

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
    "C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\xavyp.exe
      "C:\Users\Admin\AppData\Local\Temp\xavyp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\mupyj.exe
        "C:\Users\Admin\AppData\Local\Temp\mupyj.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5008
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    da67e38d5dde136007137b726aea20fb

    SHA1

    d4df79c1e92552e1fb2244efd1acba9731b402eb

    SHA256

    5ce46a0acdf39622c6c874b2580ccdf85aed56aa5498ec2dba7238f015be6a17

    SHA512

    618703f129df422bdce0a30089884973ffbff5d192dca50e476629b4749feb50e8e843b9a4a3b2219a6c53d8d29fcfa2ff78be8ede1194544a9fe1b690d7c036

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    c72d799b536feb60481c828c776285e8

    SHA1

    e22ab4ef3a83548d7fca6231a0eb1c35276afb15

    SHA256

    09216808139e926a13ca7736fcf38660be341b874e7813983c8e6ef4065e6d49

    SHA512

    8ca393ae45eb4775bc7c09ebe53f2f1b174e3ed36b29893693e9e2b1267c8cfd9bb7d2f6ee419f7cfafb319f44599384d2d7da711dd45455c51983157b0786c5

  • C:\Users\Admin\AppData\Local\Temp\mupyj.exe

    Filesize

    172KB

    MD5

    bb294fb1dc008f41c789e020928efcfc

    SHA1

    b940bdb6a9fff67f1ac31ad712a53378e3bf79dc

    SHA256

    bcc60988b1533a885dcf9c54d14bc39b5b9ec1edc0b721149fd30ad733ec9498

    SHA512

    41ef6586f3c5cf535cb1ed00546138b3c4d8892313ef4a7f6ef11855c5590df66a1c3957f1c8dc65d101cbb499ae8d8f3e35a2a35f6d0ee7b1b948423b4c36a6

  • C:\Users\Admin\AppData\Local\Temp\xavyp.exe

    Filesize

    333KB

    MD5

    9f570a371a01cf5ade01a5318db2f11c

    SHA1

    1aa15d4809fa44fb80f3fb6d3a1d770cc1759b48

    SHA256

    c43a06ab673be40b5825733ffc3528566a29dee4cc0ba4015fced2720e72d269

    SHA512

    00737eb0eafe66ca355cb27df6a16fc82a023e9d1c75a70d22b18a448e38d21139deceaece3dab2c4af48e21aa1055d3b40c34bddf6fabeb420a0bd56cc3ec46

  • memory/1284-1-0x0000000001350000-0x0000000001351000-memory.dmp

    Filesize

    4KB

  • memory/1284-0-0x00000000007D0000-0x0000000000851000-memory.dmp

    Filesize

    516KB

  • memory/1284-17-0x00000000007D0000-0x0000000000851000-memory.dmp

    Filesize

    516KB

  • memory/3052-20-0x00000000006C0000-0x0000000000741000-memory.dmp

    Filesize

    516KB

  • memory/3052-11-0x00000000006C0000-0x0000000000741000-memory.dmp

    Filesize

    516KB

  • memory/3052-21-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

    Filesize

    4KB

  • memory/3052-14-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

    Filesize

    4KB

  • memory/3052-44-0x00000000006C0000-0x0000000000741000-memory.dmp

    Filesize

    516KB

  • memory/5008-38-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

  • memory/5008-39-0x00000000004D0000-0x00000000004D2000-memory.dmp

    Filesize

    8KB

  • memory/5008-40-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

  • memory/5008-47-0x00000000004D0000-0x00000000004D2000-memory.dmp

    Filesize

    8KB

  • memory/5008-46-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

  • memory/5008-48-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB