Overview

overview

10

Static

static

10

0a2a211a25...9N.exe

windows7-x64

10

0a2a211a25...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe

  • Size

    413KB

  • MD5

    315da296cc2c81f10c9e137b6b316320

  • SHA1

    5fe9a2de322dcf39ce2bd1562460d79535d15db0

  • SHA256

    0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09

  • SHA512

    aa26148c3e82a12294fd9449cc0194cd7d283341c5a4b1f284b8fdcf16355fd2eab64fbd655084b9461234d6193ec374f88599c9be84241e1f5ab0325c31a189

  • SSDEEP

    6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsz:hU7M5ijWh0XOW4sEfeOy

Score
10/10
urelasaspackv2discoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Users\Admin\AppData\Local\Temp\hibox.exe
      "C:\Users\Admin\AppData\Local\Temp\hibox.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Local\Temp\tuuzo.exe
        "C:\Users\Admin\AppData\Local\Temp\tuuzo.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    342B

    MD5

    8700b1a288ce7c6a0a12306d1c04ad7d

    SHA1

    88e89f0fd50791152eb1321891acc399be02b845

    SHA256

    ae8c43a0e815ac53073c97749129abad18c566ec01b4f4177ffc03b754b8a25b

    SHA512

    3c5efbdf8d176d4c15a80b5cfac8898721593c5e56ebe157e4edca4b77afea418d31dea5e30e6364881f64d23baad8e5a4a8e8da032c870cc8dff2625a5fc352

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    8033c07d7fad8f9e5842106f8ccb85de

    SHA1

    c848ce33113b2005a30e7e9d81de94f0d8183a45

    SHA256

    8021b3901e79163f24e4948cd5d0e91d0f41a7782c75216d3c994c82c20dfdaf

    SHA512

    ddf6a13472319fc1cc38d8ecb22b9780998baf51d489983aaa4cffcdf0683dd4d207a3618e9c67db6fd3996bec275fddc3e0620131e925a2945415d28090304e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hibox.exe
    Filesize

    413KB

    MD5

    76353acacb59215f5000270ba3e214a2

    SHA1

    a5b36d6a76e3c6ef9eeb2d9e58e7fb1630fdfdf9

    SHA256

    e7fdf2a77c3e4f8974d8dc3148e6fe89dba5fdd406451fccdd3a4178b4f7138b

    SHA512

    228e40f1e81f07d9180d4bbefc7d585442338b50475feb6077f510f8448076adc650b2a42cda3a73d7373e0ea9ce02501b9061b339024e950c30449d26d64044

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tuuzo.exe
    Filesize

    212KB

    MD5

    2a6473e00cee5d2a34fd144f32dbe73c

    SHA1

    40e7c5acc8732920e346461db65d79bd4f3c04d4

    SHA256

    69f135e3ec59842c5995b2f181b714298057901baa31a8757952142024f1e9e9

    SHA512

    51cdc97cb3ff14ca75a50c35944d2578c2ad0da8df541a62a2e342ed04c892a269b593bd84e88602d3b99084452b3c66c26841f0128036db27cbfe8f43222357

    Download Submit

  • memory/3116-25-0x0000000000110000-0x00000000001A4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3116-28-0x0000000000110000-0x00000000001A4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3116-26-0x0000000000110000-0x00000000001A4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3116-27-0x0000000000110000-0x00000000001A4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3116-31-0x0000000000110000-0x00000000001A4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3116-32-0x0000000000110000-0x00000000001A4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3640-13-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3640-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/4596-16-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/4596-29-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download