Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 12:36
General
-
Target
41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
-
Size
326KB
-
MD5
50a3d5650fd5b53e793e526147985840
-
SHA1
8e7bc7907a5f24c7bd3331ee3d7ac8b32617b042
-
SHA256
41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72
-
SHA512
79b3208a137098624c847a42cf8fc3370428cafb350b91532ac592b239ebaac55811ff60a2fba5e022097510429b6b2505b7b063786e4dff8650841123636548
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY5:vHW138/iXWlK885rKlGSekcj66ci0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe"C:\Users\Admin\AppData\Local\Temp\41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\akfaa.exe"C:\Users\Admin\AppData\Local\Temp\akfaa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gyitn.exe"C:\Users\Admin\AppData\Local\Temp\gyitn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5b65c0e5c9635e3d150f505115b7a84c1
SHA1348b499ff301db54c4b54cf32ba8af5a8274532b
SHA256139f15f77361de23c657a4d6be0499b23fdafb0277b255f357080f2c891e0f05
SHA5123fbed4aa47e2ba8102e0bfa172cfe306997d1f6f443e73292725c68677546f05fd8d6efeba0409606a00eea4c2c70cd5ad112530f657288c208fd5ae038bfd04
-
Filesize
326KB
MD52fd40c46a106b645dfb8dd71b4973431
SHA13a0186cdb76278a9360fb5a9917639ddffa670a0
SHA2561743dd9e6a53b295136043c96e55b29548fd80bb94c394e5f793d94383d84fe3
SHA512c73dc4ed5af84850500ce8784408b48f1083ff6fc195e55353cf087a15b049a4b5fea945a8ad45a379eeb0fa6d20764fdd694c0c18dfc2a3c458c72a9d871f0d
-
Filesize
512B
MD58368378e2d8384bc4cdcbb16ecd8f5c5
SHA16c8e2ca1c9193de50796eb9da07be537d6a76b52
SHA256349c0a83c9d36467f3ccaf8ed6f7357bfcb0fb711f48a40aaecdbf303db16adf
SHA5125d656b8e3bf970bb981802d24e3207e9a23fdee4c114d0e6488358dce10f414765ac7fe1e1cd084c0d8500dc46b1fc34e58dba087cb740434a8f92b40ea90ab7
-
Filesize
172KB
MD50f52d8d7f95adae470dd9421c52925e6
SHA1ed9026594af8032b68e1658853d1e1f0699e09c5
SHA256e000ac5c1b55190804c9a8169cea16de5860336c1a57f455f542bb476997da82
SHA5128ce7f839df66f64e5aae6117b453b3dd269226540117b4efec891bcae974ee48798ac836b124246601436ed6b38755e547b0878aa177fb066e3e51278730efbb
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB