Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26/10/2024, 19:12
General
-
Target
2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe
-
Size
333KB
-
MD5
8dd4853010e7db531898aa198b116300
-
SHA1
839c24033a06b4f9ff2abd065f12cbdec61d83e0
-
SHA256
2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f
-
SHA512
1be5cbce7454acf89b94ec27ef1f9c74c3a8ef53bb6a93dc3ca9243ef9a5d612b1400d7215a4107e95512f7f073c65e3ba7d90f735db74c990830acf0444b5f6
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9W:vHW138/iXWlK885rKlGSekcj66ciWW
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe"C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kului.exe"C:\Users\Admin\AppData\Local\Temp\kului.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\naots.exe"C:\Users\Admin\AppData\Local\Temp\naots.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56fadf302779de6a35911ec20f44eaa9c
SHA1badefcb45d3e18eb9a4af1b8f9b53ba321fd4d26
SHA25680beb48d4f4f11b66385e3347cb54777a8376fc918532c6def8af74f6ee9e4a0
SHA512be028304116ebc759a74721b3d98f97f5948dcdd0767ad86a91e21daec21bd87407ce885c4c7e08f609d1ce89044bdbb04e6db2f1107b73bf344c74993d45001
-
Filesize
512B
MD5a9d5292b47fe5335c0884c7923600b7b
SHA1cda0b731bf3c47af5663422b978c5bd3019cf1ab
SHA256da64bbe7d6c67069377260bfc7a96673c7b2c0a037cc486bde35bbcd53f35997
SHA5120d77c919564971bca244956ea02fd56c3adb0a0a6c62b6c5250f4c12a82e75125776b1d4bc13670c8f1f6793bd808902c618f0cd35de3090c74b454fe711d888
-
Filesize
333KB
MD53fd19f9f81d14b2a2b68bd621f53a997
SHA166f258afb25c9edd72a5985c198b664fec5fc2e8
SHA2562fde33eec22eb0d8d4312565598c25dcc1efce4af5a77235c92fcdc2684e0e8e
SHA5126fb5dbc301664377956874c7cc73af485e38c19c0743b9d998b96aed9cf577a03dc623f0a571b41cabf8bdf610f4996e28883d0f477008d10b046e600b50be6b
-
Filesize
172KB
MD56bc9e0fca93f907582cc2bd9ed7f962e
SHA119553190c36aeae9e6f7201303ce6147197ba7a1
SHA256b1b0c8d9b549d3f92827f1b14cab397a3023f9006c785c9df60b4296276efdcb
SHA512b78b4490befbca785babba7df2b6713a8297a1fabb44762fa00a583f78fcda1665bca30245dff10ae7a6c0ac43dcf7280c83e50206d6e9f84c84f5626259da74
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB