Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 06:40
General
-
Target
f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe
-
Size
332KB
-
MD5
83374076dc6ef5d043bea1f7c10d9cf4
-
SHA1
b62c29e9220f2ab6332ba3f284241b040d5f11bb
-
SHA256
f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f
-
SHA512
20581f3f8a28f35259b1b2b486668cc2a4b3ac7a9c2ebe8d676dbecbf9f75cee13500fb114cdfb4d53f901b0642e3de021412ec01d22bc6e1d1798fc3d8cef7d
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVU:vHW138/iXWlK885rKlGSekcj66ciEU
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe"C:\Users\Admin\AppData\Local\Temp\f3af36c62543da904680017ab487af4301dcf4bc8434bc1870dadb35b65b106f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zupie.exe"C:\Users\Admin\AppData\Local\Temp\zupie.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cerop.exe"C:\Users\Admin\AppData\Local\Temp\cerop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD556c8c7ce1a30447dd8273707cccc2238
SHA1c6303e6f618cb8e809e0535627555b493e92c04f
SHA256c2f4d3aef0a6152f7c2b5a335e53056a45800c6ea1dc5d33c8059d98ebfaf28c
SHA5127065b88d808f760c521f5db7eb237bebe05a85c1e69f4000de3e89381021e8bcb8f9c8b540f8477d20e4addc5d2ec48d6ff170a597f8fc6b6994e27500cbf93e
-
Filesize
172KB
MD580efd46e93049ea7417a41d6d5abdfa6
SHA1faf4d8fa78c38c5022a8f977bc4d619b824a02af
SHA256fad95f366e86638a8150a98c0df946ea0099c32fe9ab61d861f777c804d308f9
SHA51251cbdbd9362e05ac48a9de00f5281f65d85c6eb6137de2ce37025003b37ac6eeb64a5a5c066190c34ec9ed116b6b5703515f3d4276a1fa769e941f06716eb1a2
-
Filesize
512B
MD53e23ef28b3eb0a606316e674b60b6bc4
SHA17de148fc128f80894b7c8605a5ff253fb15ae91f
SHA2564da10dac931f2b9b7a901385456720ae70fc172e3c327c237c7e86513672ce49
SHA512908cb0bba63521a154d917a785ef32a3d134a0a81791e31bddea1936cbd2fe53e272f26fa558628969f5fcd0495e050e0f73d8895bc762d69272afa0a664b3fe
-
Filesize
332KB
MD59a7170ee1cef699695a007a52436da2c
SHA1feec621d2d8d5c97659d1a652d345bccbe700384
SHA2569452512b621a707c4ae7f2afcd500f3d4b573fa96d7d66aba2a6ed8f23b4d1da
SHA5124b68789582691b8d6cd419706df05b4b7d61c22a80d78913e8d20cf940e99aa49304d378d1f520390d04edda60775bedf8d4d985661a06da0005e815ab7292ab
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB