Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-10-2024 19:44
General
-
Target
31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
-
Size
332KB
-
MD5
76f5fdf8b29d6d325a2954eb9affd758
-
SHA1
738271ce6399a06456279ae22117905ab63fe4dc
-
SHA256
31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4
-
SHA512
5a3ff505f249bf294e540d1d336a0543f8057bc3b6fa5e7b346f05bf7e88894ef599f11b1ce03e0b81fe66c10ec7ee94bf6c95f7983af5f1ca27b69ac498a090
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr5:vHW138/iXWlK885rKlGSekcj66ci8
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe"C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qytea.exe"C:\Users\Admin\AppData\Local\Temp\qytea.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\guhuy.exe"C:\Users\Admin\AppData\Local\Temp\guhuy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD53889d8e2dec2cdfaf98392329730f1b1
SHA1b95f3baf21f177f97d91a800d2b9f0aef64da9f0
SHA256353d3edb8e6d4032a387f3a2350280e78859312fa5244af78221c4360ed481ef
SHA512f748ff35ebd437ef0a6fa93a1929087b9966c68b7f338c5d84c5f5a0f857dd069c75e4ce269e00c51ab19f4feff4c061ab22c1e5dedcf942f259c07e46fddd93
-
Filesize
512B
MD56833bdc9e748fe477cd5222d3381809c
SHA1b669b08c0c9d39f4a27eb14098737e1fdeaa61bf
SHA256d983b1d8e98f65ab09252a35c3ce1eda904c50e7306f70429a4716a24c61428d
SHA512da080953696544bd5652eb8c5aadb51915f7ec19052dbcb145b8b38f3989384a7a0d468f484bdcf163a09194538ac44f4678d8fd6fc1eb51b4b0471cce9a65c9
-
Filesize
172KB
MD5252cd8a82b08159bd9ce5bb07ef1ed85
SHA1f6245981352054a2abbd1933f5d97e22e003cc31
SHA2569638fe8107937a36e100e5fc5a2f5ee09fa8612dab5f7258598f7e7fafd1b97b
SHA5124800c0f50d43437264f0dda672cfd08bd5c61960e4b67bbe68fe818592f8bc7862fa4a3ca413192ce6fae476af6ae90ac8a3f761a98decbe6738147556b1a870
-
Filesize
332KB
MD544fca65a1b299b4829839817897c5e65
SHA1a17f735b1601fe57c4e913462837923ff32ce500
SHA25656d76b5125f7a1139e85d34a463c1cc2ed2b7171fb3744866ac78e45764443ba
SHA512ff616db8717b8b7bc6adb1938dcc64b1af3f8ba51ac01623c063db5d2788fe661662cf66cd0cf1c26df163a0de445762bd9e593ffd435fb706a5813b737f0f22
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB