Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-11-2024 03:21
General
-
Target
13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe
-
Size
332KB
-
MD5
d4dc0d308df5e95206a3996e1826e0f0
-
SHA1
11d31cdf3db5943ad568af9beb1ea22138a29ecf
-
SHA256
13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398
-
SHA512
3a12527907ea4a9a10bffb8401dc3218c58a29e7e0782bfde678b99f327dd5f99b506fef43e15d7927aea1e44515e14375f240226f22fff1e20ac5355234c092
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVj:vHW138/iXWlK885rKlGSekcj66ciEj
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe"C:\Users\Admin\AppData\Local\Temp\13e083e73c0c9b10417abb2f235642c34987b306e8184f48ed09b8f8238be398N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gozyn.exe"C:\Users\Admin\AppData\Local\Temp\gozyn.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\buriy.exe"C:\Users\Admin\AppData\Local\Temp\buriy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5b894925e57c9f98debe0a09b905518fe
SHA168c2149448f56c2057df9ef76fd227a18b9d39bc
SHA2568ffdf586ab3ce73a65dd5548babe3b33cc4fbd3a941fb975cd821a9027f42783
SHA5120b97ccd3521fc66080efaf5e8b7249f6dd8fbfb993c1ad50bca12240d40a11f5f15251b21dbe8f8563d701d9481576d4c0df121ae58017e1fe3f845c38d22b29
-
Filesize
172KB
MD569fb1380b948b9f08cf293345a95ed55
SHA1e3ef4af483dd3f3712e80e960a87945950520e40
SHA256b4293590e6f8db7d08110ebd72ced83742f4c0138e735702f3d4a0c209132be4
SHA512d26100b64a185d4c4e450e136699b369e285e5820b48cb10043e97cbea3f5bb2369090bac7b55710f740489c82ffd5f1382e60facff7531d136fc5ef692b2746
-
Filesize
512B
MD55591050b58216c5ae653b9f5243837e2
SHA15cb7b1c011347cf647c2b538c8aec0162a3c3c54
SHA256c554aa66af9ca12915b24eb8b40ec61db4e12a8a622259bf309b6a74ba7c8306
SHA5125bf0f45954831145fae3482dd706ac0c4ea338667c84a8beb99d4ed4f7ad5c01bdb093a15e22b40662df92682b8e5924671cfdf6910a1c8c5ead8ef056973458
-
Filesize
332KB
MD59c62a667c80b1753aa8b527be4d7d4cd
SHA17a1b5f4f4c8e09f0b1e4aad5142382ba0602b1e9
SHA25603eb0b93dc275e5f2d0ff3186c2c82be41a1ac6116b84ea858ad1956217a2867
SHA5124dcc7b89e98aa9c0ce4d0cbbcada31af42fa5a54ad76abe085b0e99438a19888f31b622c0bfda1e3fdc3207f77e3eb896add800b1f7c10a059de53d329ed2f29
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB