Analysis
-
max time kernel
119s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 20:58
General
-
Target
378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe
-
Size
324KB
-
MD5
597949f45a51a183b2cb794f4ebe2f60
-
SHA1
ca85370e47fbfa1424d4ab7e89e0286a68a41fa8
-
SHA256
378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995
-
SHA512
7240a58c3330b87d094727e4f87bd52929ac86f4444cbf54ee006003d8a3a0b1e82da754b08a9e43cabf030a03ffca14d7bbfe3979b6d14036fd65faf6c55345
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYH:vHW138/iXWlK885rKlGSekcj66cie
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe"C:\Users\Admin\AppData\Local\Temp\378c0e918ece70f116fff3289db09765609ffc7579821c7e5d2860b59b26f995N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kycul.exe"C:\Users\Admin\AppData\Local\Temp\kycul.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\idpub.exe"C:\Users\Admin\AppData\Local\Temp\idpub.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5f024ff3914b6b0332f680b1ce48381ee
SHA1a9d8778af0e9432b9a60c42a4a2361821cbf9ae6
SHA256f695fd7e7034d15c2d20c017d84498e7536e197251837cbb01b221f7303be1ea
SHA512886649c57d62c9472016164f3cedc942efa81e2930beb14001e1a215a13070d105b3a0d73f2a6aface167142aa5a675008f42f684ebae0859bb912897949a0da
-
Filesize
512B
MD5916fc4d532d7dd337f741256311388da
SHA1901c1eb22fd6fdc668c822a3e1a0c02c29a9d094
SHA25670f58a08b8f185d93a10c30367e187cc6782babc232ae68f8555a972a2cd7bc9
SHA5124749007dd93e7149dcd6e2c8847a006d1729f6916b939ac14f918ccaf18ee2fd0d3eab2434cd1c59eaf0fddeac65af129149b8ce7c09ad19a7cd15e04ac3b3b4
-
Filesize
172KB
MD5070333de261017ed9ef225ecec3c0db2
SHA14ccb7f308d285dde2f13f60ce540bc62392010a2
SHA256d3f562069f8bcbb6775c936127d758661fa83da21bbeb06541ae2fcdb0197f6e
SHA5123edcf321c9a937689600e8f7a0ff948726fed35b01325d6bcaf4f3c83533c28eaf0b6a9a369f03e79514a16989fb566259b77d8eae11da99959e38867227f829
-
Filesize
324KB
MD5a2ab4d762d734164893c96fe54dd856b
SHA11fbaf3d230f8ebbbb30c5764b25061cc58667289
SHA2561b1484dfcdddb844e52c4ac3b7cc7426c90615e0dc8780b41a0fb0ee9044ac22
SHA51212dd23e3d86e464bf92e9a64090e66f1bdf380b6f98f6dc46d79dffc0c06ccaa4000b2fa7ebd7d9779f6ab4b95d71c8381720060adeff497c98c0d63af3f649c
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB