Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-11-2024 07:45
General
-
Target
67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe
-
Size
507KB
-
MD5
a9eaeb04e896a02140c7bbdbf5845a0e
-
SHA1
cbf857f9a0bf3a2db43d0320d3ea29f1914ac8c7
-
SHA256
67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd
-
SHA512
70dedcea8fcdbf85dc2eb9c40ec271ba207516b8074a4f8ba21d78dc1acb0c994e3d42d6d19af7e73d54e4dc6e2ce227d0f08cca1f6a439ffac43c322d642efc
-
SSDEEP
12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK5s:PMUv2LAv9AQ1p4dKC
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe"C:\Users\Admin\AppData\Local\Temp\67069ade38948696e890bb072ab04ead3cd06e00bb05f90f0fd72463e66380dd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\posup.exe"C:\Users\Admin\AppData\Local\Temp\posup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ziqan.exe"C:\Users\Admin\AppData\Local\Temp\ziqan.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD54f2811e676564ddbb1418c0c13b93823
SHA15461d02935c32866233c49abf1ccf2d870fb2567
SHA2563fff7780a5f6d2b359102a3f8228706fd19310c0b23eba211c14e303b7f8cc49
SHA51215bf5d91b68501e828066694747c78ca217df7d430416156565f47308899d969413e3e887d0cf717bc508f16d9230d9fc246342ce71c27e04bba289cef5b68fd
-
Filesize
512B
MD54f0eb6b6d87fb7975383d240ae396185
SHA1b3905ec14621314b152bb2800005b929e486b08a
SHA256e5ba9de095847f672e3402310ce67ec022ddb5cfa7968353d0dba5aad2177b25
SHA512a2ed6f12cae07e1c91b6a657b3680d2b91daa026ffd97c87fb5369c67a91bd90b3c39a306396002f8284369bbf83f077bde174e470956926bbdf0cb8555d6153
-
Filesize
507KB
MD5e16d5950bb0d05b7887a953a04f4096f
SHA1933d9a19cde1ac1a00d89d6989a9b9bd164c9fe5
SHA25688785415776683083ce5ce28b97c34d2cd0156592bd642254a54b7e0abed4455
SHA5124e3692726c62a82baaf386dc57f51d6d9633b1a2d5eb41ecd8b55c74ef76e0cf21fe7c6f307cd8ff55971c1f7a7af469b5f5ce2cef3186b669227cd91ca47148
-
Filesize
172KB
MD5c956095c638bda192eae829cbf37b4ab
SHA106eb6aebadd37f8f086aa9a30fe8b1162b07bd16
SHA2561b0ced55cb91fb9cdb82b8c2b79f5d73e6871657592f060c29315b9a71069882
SHA512635881f2b0f4f5b41525db6994569a01238f7f834c166056c0515b87898beef71d782f4d5ee375f0ede961eab5df2ffc68e0aa6bbb7a7767df71714a9be0a52e
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB