Overview

overview

10

Static

static

10

8fe4515d44...5N.exe

windows7-x64

10

8fe4515d44...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2024 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe

  • Size

    403KB

  • MD5

    c769bee14908ab982b432883968b83e0

  • SHA1

    c49f0b736847fa69ccc308f61ed6d5e65f6e128b

  • SHA256

    8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5

  • SHA512

    90151e14f65afe3c9471a812591b9fd61f0cf3387ddcc2755ef9d59309c6529978e5001daad9ffbc65559eb3ca420123f5716b1b0a2897056f9876a72a88db44

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohl:8IfBoDWoyFblU6hAJQnOz

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe
    "C:\Users\Admin\AppData\Local\Temp\8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Users\Admin\AppData\Local\Temp\uxryz.exe
      "C:\Users\Admin\AppData\Local\Temp\uxryz.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Users\Admin\AppData\Local\Temp\sodasy.exe
        "C:\Users\Admin\AppData\Local\Temp\sodasy.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Users\Admin\AppData\Local\Temp\ziluc.exe
          "C:\Users\Admin\AppData\Local\Temp\ziluc.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    342B

    MD5

    d5cda0c50c2cfdd33e5d1f0f0a72a235

    SHA1

    695bcf9195615b9e1971ba311d17bee0d7836ef6

    SHA256

    69a5bed46ccae4ca029f3ddd8e18bfff5a799e3457fed5e0b3552ec10e2f378c

    SHA512

    d29c5c1b562a201cc6cffd12ec571c6ac9d1e4ef1a1818d6625d55528a69569c9549a03bc017bf03bc96ad97685a10319fae72ee09c027b3272d17d1814096aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    c072bb36421e0c8bd967f23affcb2f22

    SHA1

    56a224fe8988b38f8d04c6db5b19faaa9f356c12

    SHA256

    963c5def6009019219df6492b831f63a5d6f264128ab01c7ac40baadd80d45ff

    SHA512

    b7d9d4bdefcd9de5217b07a58181a6e410f2e5906e34442d98d7f58b23ad27b20c30c5966c88fdf1a35ec03c31f060e80e4e57df38ceb4380f9b34c1b2cd0a22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    263a17a5884938aff9bed370da3c4298

    SHA1

    7424d11f6a5edf3e7bdaf871aed9f83160b4dd29

    SHA256

    fcf82a006e075b57aa83e672a0a5748ba2294c900906dfc38d7647d67f708c01

    SHA512

    7912db592f6f8aaea9f7f5c0b849bdd99ad12838c73ac0db8296af74b9db633691e01ea905b5b1615a72942ae467f699d33a877131d1636b325ac641c18ed386

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sodasy.exe
    Filesize

    403KB

    MD5

    a3d95d0e9badaadacf6940928917a7ee

    SHA1

    c02cf842a77c06f4ba624ad865dd56f5bc7e9ede

    SHA256

    88a20dccf6894cf30697b5aa60abf381d149b10a4c6f83dc2cf262c1e5d36452

    SHA512

    15f432af22a3ee15c792589e1e5a7e4d9981c8c5f1bd0536bb7cff15223c773234c01a30ec61e5a4d0fa12d4232bf66ee8e6d677acc94e032558f610a464b4ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxryz.exe
    Filesize

    403KB

    MD5

    3ac999f87c693b64e3feec1a782579b0

    SHA1

    8fd6d2436683eb575a529cbb18a6a7237fe901c4

    SHA256

    adb15ff9e644d54f83b40c5470bbdd53f608f4d89bf33ee51ca5b080fea4e2aa

    SHA512

    c66a56e99688041b536941fd3625ad5f756febdc8e5f30e377c5746cd0d9505dac3252d5ed4bcf6822c213ffa05441979faa9f06817657dc8ba1214288d6a1d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ziluc.exe
    Filesize

    223KB

    MD5

    e9e35f58469e7d2c38af24c3b4ac495c

    SHA1

    d4930831a08c4699f48c5a61a8a7060a56ce7629

    SHA256

    a510035635453ff62dbb80deaf8632ef9a50d34c8bd5409b950d503eb4293221

    SHA512

    87b76b3cfc5a892aa85653cebf1603d972e16b69b6d31cec56ed1e970a3a749bbc6a48a528409f38f6a93213ece6910e07fd8aed284ae0a1bddd7ef8c2ad27a5

    Download Submit

  • memory/532-26-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/532-39-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/2916-43-0x0000000000F60000-0x0000000001000000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2916-42-0x0000000000F60000-0x0000000001000000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2916-37-0x0000000000F60000-0x0000000001000000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3900-16-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/3900-0-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/3996-11-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/3996-25-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download