Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-10-2024 19:58
General
-
Target
1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe
-
Size
333KB
-
MD5
fe39ab628c336257757d361c4e2ad15f
-
SHA1
19092dbe91f5aa21fef42c5b4dc9a77329687dfb
-
SHA256
1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e
-
SHA512
e1e54485351358657f0f0c43a346947f5ad14e7f5c91d7a996bf82c0b93bb13f38341d6fd5ae129e7807979ea48e4fd747b2a8c299b2ce05e294e557f9af63dd
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPl:vHW138/iXWlK885rKlGSekcj66ciQ
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe"C:\Users\Admin\AppData\Local\Temp\1685b4e9e9e5429103ced068d567a03ad060020cbb6a0b9e689dfd669cb7810e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lubia.exe"C:\Users\Admin\AppData\Local\Temp\lubia.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\legol.exe"C:\Users\Admin\AppData\Local\Temp\legol.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5ecdfb2822e436b4370f4ff68f6b8dd12
SHA10eb1d15b139c0724b5c55f040548ff79aaae79a7
SHA2565945a62e3aaec26468b4d9341914a60aad6fae87ddd562a43ac1b9a2599afd37
SHA512870e83100f2e097f7c9b3d40ad2918a1bba006fb96c8e3fcf9eb858393ee5ecd8ad010d92bdf9c420a20d2fba5b8aeb448496a4734de38542c332f3afcb36d00
-
Filesize
512B
MD5c6ddd22376eb30540f7f0b62809aaab3
SHA1d4999daad744a11c3567f41bcaed6122e350e6f0
SHA2569479b976af6f18a874e77d88a0a8f3ba0110af3c552dce743918c65e742e8538
SHA512aafd7d7cbc083ef712ac08e11e08836e8bc89894c510f964bf590def69a5741125a4a9197bbb9533bd2c2896a2aff8d1e0c83913dc32ba30b859a1a2e3dbf9b3
-
Filesize
172KB
MD5c92f0ffb639309f7dd672ef7707e44e3
SHA1ec151b495156c1661d570650de937f9bfed58d61
SHA25670d5f6fd551a8e6f43b4c1d8c51cb2eaf216c3482083a3c501b7645e171686bf
SHA512683ca2c1ed216da9615db23666d2dbbaee88b279a04189dc2ee6cdfadddb5e1e0f2f627ad4287f4c545028a1134ce3cecd5c74cdb62a9599d0ceccd9eb748f6f
-
Filesize
334KB
MD5e3fea0a38afda75e730fbfa02a787c39
SHA1d943d2c9e5202c44d63207a70a81d5572abfa92e
SHA256c306300522371a6066c615b94ea9e401d777b55acc1200aeffba1d83e2c8ab87
SHA512882d11f39e949d94a063e5d1ffbcb2ae630bf634fc16a319b179b7bfe56510ad795c0592b4f5657e5eee55fa5dac542a9eed6b8cafb742e808b150e118a4fe40
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
4KB