Overview

overview

10

Static

static

10

dd1ae913f2...7N.exe

windows7-x64

10

dd1ae913f2...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 00:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd1ae913f25c042958c763b0ab72485868230085d7e3131dc76dbebbf0b132c7N.exe

  • Size

    167KB

  • MD5

    c9bc2f653a9dd035d8569be6b02ffe20

  • SHA1

    3ef6cbc86a9ce7b2ef415462920c1b8818d8b398

  • SHA256

    dd1ae913f25c042958c763b0ab72485868230085d7e3131dc76dbebbf0b132c7

  • SHA512

    ae0e60ccf65796d9cc6c18fe2239cab23d954b72f51a3bfb6a8983439d289c92d0744420ebb2c4ba3e911414a99ad92861382df3cff027792bd4bc820ec37aa1

  • SSDEEP

    1536:P0jMVO8LWbp4Zt/kvT2/AWbAoUETLKyUGDeF3eP8UVuC65RG08AU8f5fqeLl:P0jLTp4biALbUGcC65Q08Ak+l

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd1ae913f25c042958c763b0ab72485868230085d7e3131dc76dbebbf0b132c7N.exe
    "C:\Users\Admin\AppData\Local\Temp\dd1ae913f25c042958c763b0ab72485868230085d7e3131dc76dbebbf0b132c7N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4108
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    dd1155cbc9956e5dbeee97b18e3c4c5a

    SHA1

    e5f61bc0d1bc9ad93206ea16ddefca0900ea780c

    SHA256

    53be558f961cb503bea4e622d7833128bb01c698cc3cc6d3ec9b1cf1bafe72b7

    SHA512

    1e384513a0d2bb4d797d714f93afdf69efb2be05217fd6b5f421fc3f776ec89431b20d5a82e731d7d78c7d4f8fae3ab49880b524844b3c5e16281fa83d00a1ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\huter.exe
    Filesize

    167KB

    MD5

    26b145ca1302b27752cf6dd26f483987

    SHA1

    e2c934dd9aab22c39e4f0ae8f4693a0e203ef7c0

    SHA256

    92d512ebb139a05c50afa651ce9a7a17217e284e49e9c71c53d06dc2bc3fa301

    SHA512

    42dd0d8b295748855843856dce56237301b0027e78dac47c3eb4ee4449d6eddd890c4c5b8e008ec5bca9448b8ab20ddedbfc4beb56afa821489c84624eee30c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
    Filesize

    340B

    MD5

    5de648e8d2ec05027c7243c1b9be69df

    SHA1

    acb50ca87fc1eb296e1a242ea4072d5d326b68c7

    SHA256

    7722f746101997b8b24e6e72d972429e36ed0e1b605b9b616de2c8d6ace4a69a

    SHA512

    e05f5355f9e0230a697e158d2cc3696555babb814c13a72d1e729ade82254d5a2485be8535e1906d1e57595a53e586a89ad3406915257c0c57a5940212549e35

    Download Submit

  • memory/2552-0-0x0000000000420000-0x0000000000451000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2552-14-0x0000000000420000-0x0000000000451000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4108-10-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4108-17-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4108-18-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download