Overview

overview

10

Static

static

10

006e6c769e...05.exe

windows7-x64

10

006e6c769e...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe

  • Size

    1.8MB

  • MD5

    6e952f66a99b3f8233c1189928cd205e

  • SHA1

    3cc0b1fa84154ae3a80d9e9a3f34f36f425e3262

  • SHA256

    006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305

  • SHA512

    7cddd48bef8374d417b5b3ce6201808e786d500ad3db9dd861d648f6f42aece62c95bcd57f7c9b73589757f861513d58074067c9e4326e1e2ef4d7d40636b263

  • SSDEEP

    49152:dOPZY2eGXeurFnT0gmRK7oMqkKgb93Jy/ZtvUPtvh1cs28IgkA2Qhamoy:2NeGXeupnPmRK7o9kKgb930hCvh1f289

Score
10/10
urelasdiscoverytrojan

Malware Config

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe
    "C:\Users\Admin\AppData\Local\Temp\006e6c769ec705e5b3b23a6e4ad795cf5af9b8c92b6ef1d59668717c1e5f6305.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\midyg.exe
      "C:\Users\Admin\AppData\Local\Temp\midyg.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Users\Admin\AppData\Local\Temp\qoded.exe
        "C:\Users\Admin\AppData\Local\Temp\qoded.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
    Filesize

    340B

    MD5

    2b7d5984c42c418c3de8a2fbab7e0b77

    SHA1

    0b8b390aae7a42ae48f6807777fb119c288c68d0

    SHA256

    69ec452aa0a16f5a97633f84580d21f0195298a74f6e8827fc9c906bacd310ae

    SHA512

    d87db08ce3dfa05b59ffdd55580311b9ca1918dc36a28c9ac680c27bf59aecb1b620fe75e7c0ad2ad9d854b64df9ef412078a34d0de93686e8dd2c41ebc3cd95

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    82e87a37c6871512424b244e87dd672e

    SHA1

    dce1ed503ef0b34656f99d28fb88c524cc2e72a1

    SHA256

    ba836fb0bcc71885a8e8d72098d725163d6abbea0c6898432795731a8bd70290

    SHA512

    c094448ec9f7b8f7cce882809af2923cc414b32c0c5bb5f1f85e33ae98f7dd0a3331dee96fdadd57d3f7b25ce207f61a25304901e87da41008c91fd109100187

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\midyg.exe
    Filesize

    1.8MB

    MD5

    7421fcfbf07595ede0ff4c8921321910

    SHA1

    24a356454f347e575b28b5545115527ba2695d31

    SHA256

    5c5d2a91f9abca8a1c775836c4c2e54a78dc2cdd947f98e513452915d2fd4a34

    SHA512

    360fc4113844f249a4406798a0522ee8b012a391f74d79a31b93e2e0a16e35517f84c96407cfdedaf93a3593f4dfa751327685fdbbd603efb3313009f5247ed4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qoded.exe
    Filesize

    301KB

    MD5

    d36288a8c386ad68d3c81ae1eda1f16d

    SHA1

    42a8124f268d05df2925e8d2de7988d33bb88187

    SHA256

    6a29e6c411212243bd9b6feaefc4efe9c2d3affc9f8a2e91834eaef8b6a64c29

    SHA512

    1e12107823d2d9a065e2bd715fbbdae60dc644448a200c4e0866adbb64988d9b482ee87a2837587ea709d9ac3e875d5adef7bdfbfba22c2ecc8e015b64a62fd9

    Download Submit

  • memory/1672-24-0x0000000000730000-0x00000000007C4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1672-25-0x0000000000730000-0x00000000007C4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1672-28-0x0000000000710000-0x0000000000711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1672-30-0x0000000000730000-0x00000000007C4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1672-31-0x0000000000730000-0x00000000007C4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1672-32-0x0000000000730000-0x00000000007C4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1672-33-0x0000000000730000-0x00000000007C4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1672-34-0x0000000000730000-0x00000000007C4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1976-12-0x0000000000400000-0x00000000005D3000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2876-0-0x0000000000400000-0x00000000005D3000-memory.dmp

    Filesize

    1.8MB

    Download