Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-11-2024 04:17
General
-
Target
c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe
-
Size
328KB
-
MD5
7278c271c2eef03467db27313917b658
-
SHA1
9629d2d11c22a6da39b2640759db5466900fdece
-
SHA256
c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44
-
SHA512
0a71c83047f23e4e451e9df2ce188bd6ea9f41e446b1add9e48118584c76d54cde3ad6252d38fcc4071e15e2bc6f2e0f5f1165112febe15b7d6022c1d2babf39
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMO0B:vHW138/iXWlK885rKlGSekcj66ciRB
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe"C:\Users\Admin\AppData\Local\Temp\c7f34fcf3ce0cd88cef94ad44beb049b47cd46ae487f882c3a42841949297e44.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fityb.exe"C:\Users\Admin\AppData\Local\Temp\fityb.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\texin.exe"C:\Users\Admin\AppData\Local\Temp\texin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD53cf7fca461b272356871b22b0d6e9eea
SHA14f689d27d037d48e82c7ba213695752badc827a5
SHA256a27fea47043be1d32f2e20feb1e66819f89eec3ac0288ace69885f47143aa31c
SHA512ed5e1bce5d3b888ed948b61f6946f6cadacf010a8b6c43c12873669d9fabeed006c9b0f13bc6640fdbef4db99de23f86a3e2a7fd6c6ca87f6801ee2accedbdca
-
Filesize
328KB
MD55f9b91ab2975bcc57461979514e2f921
SHA173dc72f19923a60b54268538ba8184b5c8f5ccf4
SHA2565788b5e8dcd82b146342cde53c6a83d502a0f87f54930e17abecd63a28db2576
SHA512fe6aeed6fc2ff3112f0a7fca9225581e4a30ff88d943d742788bc80aaa9007e710372abde1fe3a05667d31e146b63bee057932fdb1f9ec47c1ed0f5e9dace0a7
-
Filesize
512B
MD553ae848690da4ead072f7a8b6215c3ea
SHA16e0d4596d2bc3d04a8dda46b8a28be0de7493060
SHA2562da9547e27734390a2012427842c2c00b9848d22a7cc076bce419ed1fb074273
SHA512e293c228706c9598082c6e3a1959182431646a29bc4dcf046c17422cc15b944262450a769f5bdd253bc014af192aaa707715924ffb7771f09266cc757840b21f
-
Filesize
172KB
MD5712c3464b97b7b405629521519cb01b5
SHA17a659332e443c6d2da5e33cfcd507bb4af315156
SHA256bf3100c74b0d2d215b0398cba1d14e437b6ba4bad1decb52b785a047a0fa315e
SHA5127e8e75bd9006f1c089fcdbbd326e00f8508841e577ec6f4e1514baadfb020ddfdc20083782e9133e350096874f373a40dbc50fb24fd3873c63324629e3a5f8f4
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB