Analysis

  • max time kernel
    120s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 05:18

General

  • Target

    576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe

  • Size

    334KB

  • MD5

    c8bad9053e92de4f01b9f1ec020320c0

  • SHA1

    03946e22d4ad01c409006b058cb6b01e83e4bc7f

  • SHA256

    576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6

  • SHA512

    b3dee39c5f133119e01e9a4d5fb0b8d1d6bd6b0ac4b5c295999f314bd50d6765139e042ca9577d1cf83ba202dbdf08300ffa8e67293c0e0753ae6e21c09bdeb7

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPf:vHW138/iXWlK885rKlGSekcj66ciG

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe
    "C:\Users\Admin\AppData\Local\Temp\576d16a434c2d7a3ac725dcd228293f2d3fcfabb4dbd5fcbc290ca33ab8185e6N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Users\Admin\AppData\Local\Temp\jyqof.exe
      "C:\Users\Admin\AppData\Local\Temp\jyqof.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\nowue.exe
        "C:\Users\Admin\AppData\Local\Temp\nowue.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    342B

    MD5

    7f5dc6735a805699f2b181d5c31dce1d

    SHA1

    c5f2435d44569565343f8aec06d45407e5f07d54

    SHA256

    c45fecdfb9d5563ee23b3d6cb6ea4b2e1d860284d4f4a00dc218cd32682b440f

    SHA512

    65a847606f6fd6f608fb4d99e5b8483e6d030c29345c97036f07fc3cf1b98d68c694cde27fd4f79ed36447c6d512c3af7ce5f9e11eff1b5deebb20dfcc0e801b

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    ae91de910d4205d6fdc04a63db04c00a

    SHA1

    acdfc98391b1866cda6acffc4b794e57bd68a2af

    SHA256

    9037f86405435262aa434b3422e202669dc0cb93bd68c7a7e207103bc22e9c51

    SHA512

    e43c1cb6c1a7ac9659cfa6086bda3c3e746e20e9aaf86511da165951564f141fe32c22df9d8c148c56f4b6ed85cd2132284b414ca8454345b81af636a7186fc0

  • C:\Users\Admin\AppData\Local\Temp\jyqof.exe

    Filesize

    334KB

    MD5

    faee1fa7cf0cd17a14f41d666b6d4071

    SHA1

    8766f5a324e0819cfdc2aee13f55d4b5fab2a17b

    SHA256

    6bdeb9766e97ce49bd234f722a283466f3b1e2fa0d4bad131b1b8ec28e470912

    SHA512

    8e66a8b0b0925ab8c1fca61d224e128dc5fb2426a9038094442e2caebd767f67b1e708b792470ca40e20f7b00bc28c95fd83edfbf94713e6c3103afa773f7f63

  • C:\Users\Admin\AppData\Local\Temp\nowue.exe

    Filesize

    172KB

    MD5

    0addb9474b95a09f9ac2c868ac87ad97

    SHA1

    2d78403a2f96d8a6c6940d66422551dad8064746

    SHA256

    0e6c8ce4b7d1dab923c7b157b85f57ffb4b5c026d4808dff1c648defdfef0bf5

    SHA512

    5b949b175dc88bd5e80332b5a68080554dc84dc381e85fe802e9bf1c8659c80e3851e7f9cdc854f3cec672d4058394c44df48d0313b991a4bf7b695c30e023d8

  • memory/1812-38-0x0000000000E60000-0x0000000000E62000-memory.dmp

    Filesize

    8KB

  • memory/1812-47-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/1812-46-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/1812-45-0x0000000000E60000-0x0000000000E62000-memory.dmp

    Filesize

    8KB

  • memory/1812-41-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/1812-37-0x0000000000720000-0x00000000007B9000-memory.dmp

    Filesize

    612KB

  • memory/2636-20-0x0000000000BA0000-0x0000000000C21000-memory.dmp

    Filesize

    516KB

  • memory/2636-40-0x0000000000BA0000-0x0000000000C21000-memory.dmp

    Filesize

    516KB

  • memory/2636-13-0x0000000000A40000-0x0000000000A41000-memory.dmp

    Filesize

    4KB

  • memory/2636-11-0x0000000000BA0000-0x0000000000C21000-memory.dmp

    Filesize

    516KB

  • memory/2852-0-0x0000000000940000-0x00000000009C1000-memory.dmp

    Filesize

    516KB

  • memory/2852-17-0x0000000000940000-0x00000000009C1000-memory.dmp

    Filesize

    516KB

  • memory/2852-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB