Overview

overview

10

Static

static

3

31f07747ce...7d.exe

windows7-x64

10

31f07747ce...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31f07747ce71885358dd49f3416aca8290a6684ba699a8ad97448819ce3c467d.exe

  • Size

    62KB

  • MD5

    7418f5d7e50d9b410c0ac7baec9a894b

  • SHA1

    bdca1455fbca27f4dd183d761ff63c3023f55c67

  • SHA256

    31f07747ce71885358dd49f3416aca8290a6684ba699a8ad97448819ce3c467d

  • SHA512

    bc370d63876c37c1295542d49bb697977a30137dde340e4b748d75f72a3c2d921e9d7ac89311fffb0e203b214f4739e524d638bbe9f65bc4bd1d299c2749bbd4

  • SSDEEP

    1536:saTkcl2v/z0thjkh6+uYLo31d0JuPrROVT:Jo0cAthu6+FQ0JuPkT

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31f07747ce71885358dd49f3416aca8290a6684ba699a8ad97448819ce3c467d.exe
    "C:\Users\Admin\AppData\Local\Temp\31f07747ce71885358dd49f3416aca8290a6684ba699a8ad97448819ce3c467d.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
      "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\biudfw.exe
    Filesize

    62KB

    MD5

    88ac79881eae33a186509de08fb0d629

    SHA1

    aa912af42928e11a32c886e43cc4c21f37c7caeb

    SHA256

    b9da5fe84b3f0e786b851b9e1b2ae16b20b13815c4338185153e9d91a462e40d

    SHA512

    572aea8fffc65f69a0cd4cc1417c1edafdacde3407b5c0f09a6b54f5484c360cad9bcf1098879cdb2c75084e45739241fe606f669bcd915f3b993dc5ea359d18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    657ce9e5dd337971e44dfb9cb3fbf7dd

    SHA1

    026734083afaa4b7d298781b26a72ac9b67ac831

    SHA256

    3138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472

    SHA512

    79aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
    Filesize

    338B

    MD5

    14da6248c71a3843ac1a2bbb2c4aedc4

    SHA1

    247cf47afbd92a7ebcf7f6584679af11cdf681db

    SHA256

    0b11eb7fca80c7f18e3a859fd9f45a6cf0f2d59bc9fb088cb44ee8d1e9505d8c

    SHA512

    c8d705aa586ab3977a2e873f8be355a74295e5a72214390892fd1870868b266c675fce2e5675877346b7097d7203fdecd8b16efd85c72b057c09be1851e08208

    Download Submit

  • memory/1932-0-0x0000000000160000-0x0000000000185000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1932-18-0x0000000000160000-0x0000000000185000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4572-15-0x0000000000570000-0x0000000000595000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4572-21-0x0000000000570000-0x0000000000595000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4572-23-0x0000000000570000-0x0000000000595000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4572-29-0x0000000000570000-0x0000000000595000-memory.dmp

    Filesize

    148KB

    Download