Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 20:26

General

  • Target

    213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe

  • Size

    629KB

  • MD5

    852c786fe915770ff65d506086e4bf35

  • SHA1

    c47e365f60694b91426dd12d50df82cf96afd732

  • SHA256

    213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e

  • SHA512

    469b5daf40b28366b11268f7ab96f7a1379f9e34ab150db4902301ad4779d890d09933527e45b6c88888979ef53c99d96178d2abe99a2824633a4d6e1ac9ca33

  • SSDEEP

    12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsx:5UowYcOW4a2YcOW4Q

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe
    "C:\Users\Admin\AppData\Local\Temp\213dae0604db18134833b5a9f34ba8fca11e5ec76c3ecd05a27eba188a7e249e.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Users\Admin\AppData\Local\Temp\neleh.exe
      "C:\Users\Admin\AppData\Local\Temp\neleh.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Users\Admin\AppData\Local\Temp\siuvy.exe
        "C:\Users\Admin\AppData\Local\Temp\siuvy.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4516
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    f6f67b02a0fee1cbac2651a91befa5e1

    SHA1

    f768ee445010c870da40c425824995553e98e8a1

    SHA256

    4386dcf6a59d8cf5fd16af36f29321bdedccdf8781babf4033498446c76539d2

    SHA512

    d4c6d1f58b2d8e8ca58b4650a3ada7f871cbf17dbcd64912ffaf3a91ecc22e0d86c0f2240e4f8a082062cf17fc4e75b1efee41f5b24759ba509eae25d6b07a5a

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    747578224d89bd90332a4bceb7ad494e

    SHA1

    1a6295224c17739fce8387c7560e34f825e6f266

    SHA256

    442b3d001d771b4d05ec7060ea09e49c7cf0adb477b61fd540a4758e1d8b1d4d

    SHA512

    0747e08a09ca43a4b3f0cf5fcaed12af4bd8c4dd6ff4fd809ce663d23f29cdbee930e4a402d66a13cebfb2a8faf9f64c5759900bf649da52a455ca0957e57bae

  • C:\Users\Admin\AppData\Local\Temp\neleh.exe

    Filesize

    629KB

    MD5

    538924984ded92c205a237d4639cab81

    SHA1

    a30eec3ddcf04312a8d6809da3ce10544d42a75f

    SHA256

    4172074a92f3541520644ab073ca5d67e698d1a1ca1380e8df70509798a32b1b

    SHA512

    8963ae2f959df7a41a4948158156998b57587bc5d83ec8ac1e78e9f4a841284262adc5988ec8941fa087093aec233cb6e9bbae0a24bc36cc9152654ca547c548

  • C:\Users\Admin\AppData\Local\Temp\siuvy.exe

    Filesize

    212KB

    MD5

    5c671da0b70e92698a2f30cd60f2f2e0

    SHA1

    231eda2356ebeed1612e806095ebb2163e7330d2

    SHA256

    f31d74b660625e8804709c49715a964bd421eb4304a09d3fbdc71b706e4153f7

    SHA512

    53a67a3f53e0681f58f8757be30809c33c08162d8d624b3cee885132db9c2e4b15781f0cec846b3f63870f4b1fd429e61bfea462cff5d592afbb679c865b3a2d

  • memory/4516-31-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-28-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-27-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-26-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-25-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-32-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-33-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-34-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4516-35-0x0000000000F90000-0x0000000001024000-memory.dmp

    Filesize

    592KB

  • memory/4728-13-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

  • memory/4728-0-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

  • memory/5044-16-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

  • memory/5044-29-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB