Analysis

  • max time kernel
    120s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 00:20

General

  • Target

    b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe

  • Size

    332KB

  • MD5

    64ac1bc4ca221ef927c0f5b570dd2b80

  • SHA1

    157f3607b64b7a69cc3b85ae3e6fb0855dfb9185

  • SHA256

    b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12

  • SHA512

    9a329ce8c12e83cf96aa821bc0d68ee107e388d99e8dc9eaca8d55bf9f62e54d48fbcba4619999925917a62372d3d931fb1a4dc4872c7e94ac516b88830f023b

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ciN

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
    "C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\ujqoa.exe
      "C:\Users\Admin\AppData\Local\Temp\ujqoa.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Users\Admin\AppData\Local\Temp\nuzuy.exe
        "C:\Users\Admin\AppData\Local\Temp\nuzuy.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4488
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    8a72da537d856fe39cf196e33d506de4

    SHA1

    b3fe8a6999f910b62a54af43f93dd9387b3fdc03

    SHA256

    91eb2480d34d1e3f221e5a8f319619ce6d11b48561cc12a3a543ea352d5885b3

    SHA512

    f0324a89c320b64025d33d904bd7de35e04ea761360d5fd79d3319d3872c001c4c743ee621b2aca5494a1f4f1428de026029d046fdcba395dc5fc724b06a3cfd

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    b66922e07df073c93a644e5ca075827f

    SHA1

    cac1cc430e92dd90eb355b97cbfd880b6d8b8171

    SHA256

    5adfcb39a77b2361dbe9ef25811cc51f9ccd9f906fe6c7f162af09891336c78e

    SHA512

    95ea7279f524e9d9550683b125b8d41c5cca8dcf03f7f7a0e7385c87981235a11b3161e9e995d07b6b4e59db963995b6f4e553816e663d6dc6bd4f2fd5eb45a0

  • C:\Users\Admin\AppData\Local\Temp\nuzuy.exe

    Filesize

    172KB

    MD5

    1113854fb9705cec082563540fee2ebe

    SHA1

    3b2404170341c1fd18a53db2642df4c874687a58

    SHA256

    ca53cfee9d7c7a1b5f37383307ec466e69364a91d726f9b7587479fa79d943ea

    SHA512

    1a4dc3c15662958428bc168ecf06911699c49e76f4d2fd119a4bedf48147ae21185786bc4b49f093c80220532fb425e9bc3b1e0fee9c9769e71bf3db4ae08de3

  • C:\Users\Admin\AppData\Local\Temp\ujqoa.exe

    Filesize

    332KB

    MD5

    6c562f54d4879673d7833d98244636d2

    SHA1

    441e97d32b53a5f01caa98c2d3d9d1e1c2e4acf0

    SHA256

    1a7e4580c69dbc8c2d20721d6899f1485c7460cbf7cd80cfff232eae17038ea4

    SHA512

    38b807c8ee71def1a1cbf845d78a3154b7c8ca80492951cab8e8220f15e92a08af904cfe49cc05bfaf3fa3fde8267f9f136f5ab4cd2fe013ec144ebd09d2ff27

  • memory/1168-1-0x0000000000F60000-0x0000000000F61000-memory.dmp

    Filesize

    4KB

  • memory/1168-0-0x0000000000890000-0x0000000000911000-memory.dmp

    Filesize

    516KB

  • memory/1168-17-0x0000000000890000-0x0000000000911000-memory.dmp

    Filesize

    516KB

  • memory/1808-20-0x0000000000B80000-0x0000000000C01000-memory.dmp

    Filesize

    516KB

  • memory/1808-11-0x0000000000B80000-0x0000000000C01000-memory.dmp

    Filesize

    516KB

  • memory/1808-14-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

  • memory/1808-40-0x0000000000B80000-0x0000000000C01000-memory.dmp

    Filesize

    516KB

  • memory/4488-38-0x0000000000490000-0x0000000000492000-memory.dmp

    Filesize

    8KB

  • memory/4488-37-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/4488-41-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/4488-46-0x0000000000490000-0x0000000000492000-memory.dmp

    Filesize

    8KB

  • memory/4488-45-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB

  • memory/4488-47-0x00000000004B0000-0x0000000000549000-memory.dmp

    Filesize

    612KB