Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 16:46
General
-
Target
79a9298000ac5816da0161413a84bce2517f181ae9fe9e73141b1f8e4d0cc510N.exe
-
Size
332KB
-
MD5
b09020dd8f734eadf440b69c73712ba0
-
SHA1
a1fd6546be419b349d10be0f7dd6a4d2e529854e
-
SHA256
79a9298000ac5816da0161413a84bce2517f181ae9fe9e73141b1f8e4d0cc510
-
SHA512
67375bec2c5b3bfa940398381bbb64a5575694998b7e67ff15d975fbcbbfb0a86f75b6231ac7e979ccf6e200fa56975d5a6e719b80f6f4f5d96fddee67e2fee2
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVo:vHW138/iXWlK885rKlGSekcj66ciEo
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\79a9298000ac5816da0161413a84bce2517f181ae9fe9e73141b1f8e4d0cc510N.exe"C:\Users\Admin\AppData\Local\Temp\79a9298000ac5816da0161413a84bce2517f181ae9fe9e73141b1f8e4d0cc510N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\boovb.exe"C:\Users\Admin\AppData\Local\Temp\boovb.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sulyg.exe"C:\Users\Admin\AppData\Local\Temp\sulyg.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD50f62c5db33e6a09b1be91f5cf0c7629d
SHA120ee8300881fe8c0359d0258539d81c53d5a2a1b
SHA25645a902081eabbc7ed2c13e32dd1d77323cffd36ada27d5dd5541822db42e4de0
SHA5129f41b912cc3b27f374a884a43a49f3a2e14ad3e96b66490c2ace99bfa3e31b64af34ba40709946f4fd3c9f796a62086f78ee60f0823ea7c951f7b2ec25f46b8d
-
Filesize
332KB
MD5914889a6b674768be95f27758a90331e
SHA1815298631ff2964209597e19777212bda19af7ef
SHA256669da01bb91f113ec48d69e37529de7738c4959c9a6c99e7601248e08a310bc0
SHA5127ef714d55c5b92815f2afb993056e0d50103be059a79fe1d4bfe94e5308511fd83b3d5f9f7a4cdfead19cb3f93749153fb1c0446005d53aae860808afd6c029f
-
Filesize
512B
MD59c584c3639873e12067e348022002e5a
SHA1da2253297f2559235654097807737abaf13b0958
SHA2565c3b92c3d65e0a6324e05d80defb797c1fb7e5e666bfeabe706038f8becaf0a5
SHA51239b70ebbddfdd6d0d4acfeeb0c1d9d213d77d77dd8b406c6b8403f3e1b4dbe2fdaef2bdaeeb3f4d876c7e127ac26de690b57639bed040887262550909586833b
-
Filesize
172KB
MD5fa23400d29a9fc63b3cfae8e63d063b6
SHA1731da8cbd982b4adb95c7707e4ce6184993ccaf1
SHA256cda87af6cf4c12d81db72718fb89e5db02ea6ca44e6b2d456438f376576eee4a
SHA5120516ec024c8d546dddd60548ac4cbd7417d3442dca936bf63db6983b9a91ab48b24379cf30d52dbe42c062c01df43840a50911e0eb054369a522a078c70e327f
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB