Analysis
-
max time kernel
119s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 21:21
General
-
Target
3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe
-
Size
324KB
-
MD5
96cbd49ff3683846471981dcab152fc0
-
SHA1
8bf48d25256ae54a9d1afc01aaa7d99a80a3297f
-
SHA256
3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fc
-
SHA512
eef98866db824f707f05d038a6a9381037e9cba538fa3954306377a26e61c80438b62a29205c30f4c42e4c52637f3f70b5dadedbe717a184e0ece843b1e28230
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYX:vHW138/iXWlK885rKlGSekcj66cim
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe"C:\Users\Admin\AppData\Local\Temp\3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\disif.exe"C:\Users\Admin\AppData\Local\Temp\disif.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wywej.exe"C:\Users\Admin\AppData\Local\Temp\wywej.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5bc08f8ac91d6612094694b5f3a19c5f5
SHA162273a0c7275a4191890a7d034a6b176ba17f63c
SHA2566d9c1b28c359197345b80edb5bcc7fb24f4c2658d345428d0dbd2870cde89343
SHA5124ce12e5bfc2e5a3f0e100149f6ba9245d0c7bc452fa847ce6064288a9221de9279a21bcd25fe355cbf9c5fd39a18710d74a9cdab86210bdeebb2966c8425965f
-
Filesize
324KB
MD58c66f455075f63fa27f7543967b71ac9
SHA1dd9974db89e48e66ae1ab59a5016b572645fb97c
SHA2565bbd0d912da5c4caa3073bdd5f0bce15194c9cb454c1837822156744364f3d05
SHA5129879b497f7e0ba54ea6582f40bfb3983c2645cf160c1083e370133c8e19c9bd0d008165b4446528b29a443a9aea4236bd89f3ec97ddba276599cc1116e067bd2
-
Filesize
512B
MD53091680c94258a542af3b11fa1eb1ff3
SHA17cbf0bab5c40251331630cef82921463a169d722
SHA2568e8ab51f4fe5024583b3fdd8399f87bece2fa57d1d15290775a6ae69db0b9384
SHA512a54dc7dc34ab1d852d5d7543576862248528d5729676e66716586a9574f543126d7676449f2b983aaed9bedd612e7baa7ff2270b75707a85fec2ef23b05b9fef
-
Filesize
172KB
MD5f06c875e35f5cf6bc69633831c9dbd5f
SHA1c0ad81dcce5cca195caf91e48b39af6df65a9876
SHA256923336908525ce7c9261dac5663d706950c392cd536595967b39dc633c69e383
SHA512bac1123f6d43c1cac27d47df8b45a2f0ce73ea38237282384c9bd215c2954744b4a11b4a7ddcaa4f378041b85e8548c226ba367071933b25bf400cf1590797a5
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB