Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-11-2024 17:40
General
-
Target
93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe
-
Size
326KB
-
MD5
2a974e548bcee92a9f49c8d04a12ab60
-
SHA1
20713d1c848b27e1f9edd9effe440b7910702d03
-
SHA256
93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068ad
-
SHA512
1140158ff78108353f15b2d3f1cca525b5b754aacf09cceb613b0e53ba663420e22b35a78819f680638df073f6556ec2a4ff9c2dfba1b8ff1911965bc09f6720
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66ciH
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe"C:\Users\Admin\AppData\Local\Temp\93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dutit.exe"C:\Users\Admin\AppData\Local\Temp\dutit.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\povuv.exe"C:\Users\Admin\AppData\Local\Temp\povuv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5bfa43d8043c41cfebcaf375ae695d794
SHA1b4bc85b33b22a84c56f5b23c6f6e0b444e762876
SHA256d401c9a10f195ee6ca92979ec6f7329f1ad46191b1b7d5c42e24582238822690
SHA512321fe457866dd89e361527cbe94a97e6c9dcd0f56d60ba748efb6c7e1e81f9474caaee39d8ee72e33c7d82327ded7d42a4be3caf01e868052add431dceb414cb
-
Filesize
326KB
MD5bbf27ba9454d66f6f7c75d40d982dec9
SHA1e40606e367313a4640e61202dda2145c0618333a
SHA2565b02661dc94bbb8c46893ac3c8c790f257927a3b613c62b6d6c3ca78939712ae
SHA512748daba062bb328e996b9efcea528867d2ad9d4413d48a0b27ec961ea3753d980d03998857a5dde56aef8bcc6cda895b1fc964e76a6d9cec7eb099fef93f4d48
-
Filesize
512B
MD51d076ffde8256fcd950b898de58f90b4
SHA1c5df0e933192242d3ef81faba7b57b49fe10a18f
SHA256bf7aab0aef02d43d7e6b29ed05f7b3303a345c7d5cb8eddb4fbeee92cdd0a61f
SHA51214f67ac7a3bde28a809b2a70deb0ab0b70645d772b04c53a1eb529c6eec8406a24aa6d2278a8a857c9ec947ab2560b256922fb265e57d1e8c9f6a13ad093c9be
-
Filesize
172KB
MD5f523a21afba21203a7542867a370cd6a
SHA168ab12b6cc21d4fac2f1d44ce83834a4f759dbd8
SHA2568d11d6a53f57deba67e9d6ba2798f39ff7152077c474e997b354a587608a7177
SHA512f601ea3ab933a0cf61cbf9edb88554844beaa2751ea0a4831f8f8bc22cb6d687614a7691258e37f20fc37a8ac2478b54cd039727e47b74de7e3c52d7af1d8443
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB