Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-11-2024 01:52
General
-
Target
a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe
-
Size
332KB
-
MD5
926d44f877c6b8877309b7dc186c5650
-
SHA1
d21eb91f9d20bb0d3a3ccd5edd4dd48d900a54df
-
SHA256
a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429
-
SHA512
486b60f8b1ee93f7b52f8f911e4284b7c384a23a68e4736d5fd6b9dd97c1be5cae23f24fce95f11c98e954bfb029ef55d84bab57dcc9fbbeda6a61e4b6548fc2
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVO:vHW138/iXWlK885rKlGSekcj66ciEO
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe"C:\Users\Admin\AppData\Local\Temp\a75ad7afda019d2648d07451bdc13beffe0afe240b2def24e3312e6c9eb51429.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nunyu.exe"C:\Users\Admin\AppData\Local\Temp\nunyu.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jares.exe"C:\Users\Admin\AppData\Local\Temp\jares.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD550cdf9e4b573a86d4510dec0488fd72e
SHA124b5ae9f6b068455895b878569eabbcdd113a0bb
SHA2562eb2fe28da4522c3f19a396b64cf2fcf1c9d3c242a60b7beb332abc2a2a57ef1
SHA512d8e3fe0c00f225698bc8bea1184466552f46a26b1d8ad31ff968d5b64afb0c3e4aa43d8c8677a058272f3cf90c942f7d380452f1b11b8a177efca92a13e55b2f
-
Filesize
512B
MD5b846d545220909344b853a4521ed7798
SHA13770283b6985ca80f85d3dece12eff8990defb3e
SHA256380e69eb0719c2f1fa8c204230c923ab6f73f9a281b90664696193654ce1d61c
SHA512921a1d53f783e6c85a21468ed7aa60d58e83ab7dde90818b7eb8ed6abdfd4fa712fa88ae642878108018a35a2199d08de3cda8c455383aabbffeef9801923c14
-
Filesize
172KB
MD573ab6465c553641cf48879b6d0442b6a
SHA1124114d16b51aa1a60a27fee191cad8699675c73
SHA256fa9dceb61efdae4c8c8d2f75713c950be5ee02c403a3a66504944ba41971bda8
SHA5121d3898b048f12a1dd9a4d0f75b4961bcdced29dc53309538f3bc974f983635a4cf4725469f80732b560c869acb3bbb5f9260de2a405ef7220d4febe4d932035b
-
Filesize
332KB
MD5e713187e71a717b5c1f1c2927eb0d75f
SHA1d3df52aabd15639e977bc9edc5246207b6104402
SHA2569db8bb03690af617dfa667aa7701b9ba3b152ae783904d26096e669e4ca3d371
SHA512f31a20bd2bb4513233fa53c859de2e621d177acd0c69adbe8582142cadae93a2228df3d06e98f53605c392e200311ea75f13d0f11b4971c85a5e9738879b79fe
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB