Overview

overview

10

Static

static

10

e86d46a470...6N.exe

windows7-x64

10

e86d46a470...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe

  • Size

    401KB

  • MD5

    dc9bddf92d9dd574c9b94a80f3482a30

  • SHA1

    e0fcfa8ab2e8ca54764cca5bf400ed37fc3cf168

  • SHA256

    e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36

  • SHA512

    f4223f56c558b0ce6a3d49fbfeff0694885e83b41ba8f18cef9f5c4351402081b3f1c05292d66a370c1b74e16f02c192bf2eb141d06824bc1a667bc1a1fb46c6

  • SSDEEP

    6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOU:oU7M5ijWh0XOW4sEfeOU

Score
10/10
urelasaspackv2discoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe
    "C:\Users\Admin\AppData\Local\Temp\e86d46a47095d2a32b885459c5d5167b07d4ded11fa2ad3949b52b8585779a36N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Users\Admin\AppData\Local\Temp\ahqyp.exe
      "C:\Users\Admin\AppData\Local\Temp\ahqyp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\AppData\Local\Temp\opmos.exe
        "C:\Users\Admin\AppData\Local\Temp\opmos.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    342B

    MD5

    dee891aa3595ef9bad67be25b4351ae1

    SHA1

    7fc2ae7256c930fbafd984921a8fa023ac815b0d

    SHA256

    45b83f3f7901c9d4330dae2373a670442d836f3d92ad2d92aa46f48e6bb36820

    SHA512

    d1c74dd568fd528ff01308b1f3227464d1a6052d0a7ebfaf412f6b469671c98d88d927937d6e8109fd2a2f327ce16d07da68085e4c304010f15724e1819c4f3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ahqyp.exe
    Filesize

    401KB

    MD5

    268804f5cee8fdf8bf53605bfa7deb68

    SHA1

    0b2e34c30ec45cb51d355e643d23a7fc6517cfe9

    SHA256

    482a72f2e1ce2b4ddc4eb97b7a9052abd0e397702a3004b4ce232ac86d05b5c0

    SHA512

    b1e93d0d65a7e26cdf9de6cfd4f9f591870e63e4998591ed5ffbab7c2943f9949c93da348640fd651646dd6aae4655e6fd236e69e6e20434c8715d7c3f693dbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    e6f0f745febf038998adab8fcf875df4

    SHA1

    95ffd9c5ff9ed070ce003f9316a7be4fc28df7cf

    SHA256

    7d2747085d9900ae76f92c5271b944d58d2e5166820dbd8c690dcdb34b27cdba

    SHA512

    a43f7f00fca4e2e4858d95868893ecc2192999fa35e29130355610152a0942ef73b10de0d50740ef57f5b17ef1f04d079eacaac7c5693fc9f339ff1667300055

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\opmos.exe
    Filesize

    212KB

    MD5

    8860f858c6ee67a65d3ef01e222c1f13

    SHA1

    8dea6133a7b877bf2d368143efee5306fd2c41f3

    SHA256

    637a1d44df123ff432b07f80855a8c0b0cabc0b8feedbc61b906c71d055b1f5f

    SHA512

    0e8abaa8b7546a840bbd1ff50337b3b290d3f5a96c3c22c6dc7f84241a52b7f582154bcd9a6e8a5f3097958dc65d23e917a16f9f8f12b6adc1c38831d7198efc

    Download Submit

  • memory/2376-24-0x0000000000870000-0x0000000000904000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2376-28-0x0000000000870000-0x0000000000904000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2376-27-0x0000000000870000-0x0000000000904000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2376-26-0x0000000000870000-0x0000000000904000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2376-31-0x0000000000870000-0x0000000000904000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2376-32-0x0000000000870000-0x0000000000904000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2988-16-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2988-29-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3312-13-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3312-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download