Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-10-2024 20:59
General
-
Target
f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
-
Size
330KB
-
MD5
f1e1cde1b78c3011c4d37b778f8f28e0
-
SHA1
1fe7cf690f5b87e656dc61d2e0855347bf511063
-
SHA256
f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81a
-
SHA512
31bca1575ae095daf1fcd97dc007c839224addbc90c72435dec7557edbfa98027c2785d7fda7874fe7635c670775a2b0f8eadaed30f4ba66d9044476aba71e9a
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ci1
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe"C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qyylm.exe"C:\Users\Admin\AppData\Local\Temp\qyylm.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\idhiu.exe"C:\Users\Admin\AppData\Local\Temp\idhiu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD53a85ad7e26b9ba614e2c31d19781c991
SHA13145733944a8aa72b818f8878b734efa4f3b1a3b
SHA256785cbb203160b3f082d3b9f1d74a4463dd759228247c63b98f466aab26c7ce16
SHA51239e6f1b31d76356cd04938b7c27bbb487aecad37a51dc05b047d4245ee479bf0bcacb5cd74152e2d30bfc97019f8de7a5084e8b210d6e620c55f5afdf2046ef0
-
Filesize
512B
MD58bd7b1179e19182a4e2173a7b7ee43de
SHA14891b1b8ee662a7c80e362cd14bca4c0efba25ef
SHA256a44e6f51a0fb460d0b6bcd751481f798b7e58b04db01357f6e9e12a79ffa89ec
SHA5120175a76aa760fd57bd16a3aa1ec76af3fcca547decc4c6f84fae1aa75615f6abc680609c8730b2d31881cd52da9ec7be1d2150a93f0172c84bf2661c89aa98aa
-
Filesize
172KB
MD528b69c9f21107bb9c5dcab2829df1252
SHA194fb0ea19e145efbf5b40ad4f677dc4d37ce4edb
SHA256ce0a3fa128fa05f0f5bda2127534affbb5205c32582fc9f3c32a3e4de107c4b7
SHA512b5970c6499ff5d329f618736897fff4f0ef0a66797a0014dd2ed973816813fb7bcb6eda352325a829d373da22eb6d7aa8372f32536dc4263eca5002d82863127
-
Filesize
330KB
MD5adc97e00e18fff90e1cd0a3798cc2055
SHA177ad66eca09e4149c2ff0cf8077c26d1681eeec5
SHA25685efde7f5277e5af6f3d67cb08c1e19cf10ca33fc7b73b6e49456781ae50ba89
SHA51240b7f3b1e614b3d61668a06cac9f49beddf148fef1cc9999d37500aa36b3871a3679b9f9027d6c45dd91312febca1ca7c36d26319350a4fa12d4b7d8522cf806
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB