Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-10-2024 15:19
General
-
Target
8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
-
Size
332KB
-
MD5
80c40844ce7c96763356bc8f55442a60
-
SHA1
f2b0bc7ff2c7803dee7c975f8ddc67f80ed59eba
-
SHA256
8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472
-
SHA512
490bb52421406db27c3b12add8876edefbece2aacb87fac488fcb9535aba787025f18776be54d3b26d36e79ef40c8bfa25b5e3b351241cac850c550d9eb600b2
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYh:vHW138/iXWlK885rKlGSekcj66cik
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe"C:\Users\Admin\AppData\Local\Temp\8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jovod.exe"C:\Users\Admin\AppData\Local\Temp\jovod.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\biqee.exe"C:\Users\Admin\AppData\Local\Temp\biqee.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD571eb4b9da5a2bedfb95309abd47afa79
SHA126d120c4c4a958c747ce7da21d20e7d04f1d0427
SHA256235fd21006190231308a396c57ddf9c2e7484667665d628a83ebe1a57d0446e3
SHA5121988d422c392d43b674ca64c76c1e541d16bf6634c036cc7709884169f07c4969ad043e4028a83bb412c983e423570108ca6307c5311d55f57dc23827c12cc09
-
Filesize
172KB
MD50d5a2a53f78ae7584a281935ca7dd1ce
SHA13067b330e2638ae4946bef608b1d444cc20e4c0e
SHA256fca6f371517014f4b7365feecf9325fb43138f3e0896832f20279e3b568c69fb
SHA5129427c3fefd944a99bae0b962fb70bbda67c6393afa2f617d6c8c118e24046dab61626abdf5dc20013bb7b05f5277272b4654cc83f2d83e57ca990b1094d08d4d
-
Filesize
512B
MD56df0a60205c1e5b8a6cb77e158260678
SHA1af227026832d4e8b3bad015c98a0b8e95e15fff5
SHA256fa8037a5f273232d78043eae0cb9d38cff1ec3d443ee088f3e9e50e6cc52bf6a
SHA51287590fccd0cadc6b11e6184e6a739e71e83107cd3be460c979eb904d597646a7bfaea0b825cc10575434fa8ba59b2273392744171846f806b7d585b34e9ab293
-
Filesize
332KB
MD5be4f41391a0aa7c3103e17b4ec64310b
SHA1e051d7ca3a0128f2e5479c9cc5f802c291225df9
SHA25647395c695ea4e82c136c15afb89adcc5b1936119bbceebccf320e6fc0a5fd179
SHA512221dcc3c6e5223af631720ee5418106bd7f0b5274da757a2b2babf95d079319c24c79533670e80e02dfb5a8e764ef9cf1a2d9c2db4bc629511ef020ecd80e890
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB