Overview

overview

10

Static

static

10

89a801220b...d6.exe

windows7-x64

10

89a801220b...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe

  • Size

    592KB

  • MD5

    16acf12d33e939e05ff7d58ea575ed07

  • SHA1

    1b8eab1affb80af01998ee11509c55191f8ca12b

  • SHA256

    89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6

  • SHA512

    5b1f0f6a875e3a961e2ae3bf287acbda92259ff781feab39f0a3e8891f648a960f121a6499aa042396e9203cf9ecc2ebbfea384f368a583efa25dcf53018aad0

  • SSDEEP

    6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRP:C4jm0Sat7Az/gZvTIq2WKkw0FN

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe
    "C:\Users\Admin\AppData\Local\Temp\89a801220bb3c7f05e0b18c6f0fbfc1e3bf6ae23e98fb103fe09360de6491ad6.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Users\Admin\AppData\Local\Temp\joybv.exe
      "C:\Users\Admin\AppData\Local\Temp\joybv.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4204
      • C:\Users\Admin\AppData\Local\Temp\tuizm.exe
        "C:\Users\Admin\AppData\Local\Temp\tuizm.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3096
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    14cb2d56339f549aec3e7a9fac4f0eaf

    SHA1

    24c7ec553e4aa243be3047329cd58cb19188b0da

    SHA256

    9de7171d88e19cb3214b389c926ced7fdea69b5056b80bbccb27f3835b7c70ed

    SHA512

    8c858747dcf7a173e7165578e25255f6633f9096f095ad34c13344d9b85d7586c2b40664d5a30979ca10876f9abe590559cc601a1d1e6c8044eeab390bbdb766

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    f655f8cf0334ce2f1431d45b1621c7c0

    SHA1

    226504783867ff64ae98ca3541dabb3778ff83eb

    SHA256

    48b61146fb0766e2994044a72e3bb548d9f18f0e5772fb7fb1339d6db609857a

    SHA512

    ad3d2060ccedea303a36fb08a220e1abf2fec1345502556a3cc6b57cc00337089c0e1805a541414262ca09f25c03a906bdb7efc9c92b37a3c0dd049c097bf808

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\joybv.exe
    Filesize

    592KB

    MD5

    db5ab4266eb3a7cf549bce7dc11d0769

    SHA1

    c3604f34f1c82c84ca6a7b2861fe3eb581ff1354

    SHA256

    8e5a843ab93ef864079392d66c027dfd52781cc8c43cc9ff98c70cadd71850f8

    SHA512

    a7734ac7e77b16592baac248f0124c5c1e89188b738e251b1788cf7e2f24562bb95f6b35302c5e0e43988647c7eaf602780536d21212eef56eeefc8d19e38634

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tuizm.exe
    Filesize

    323KB

    MD5

    bccf0aa75811be83b8a9506944274cbd

    SHA1

    ec3da036b97e44c2f0fc2e5f551e76e79fd569ec

    SHA256

    3ec05e5d664b688f0469597874e086976d90391fa5c87983713ec582a8af01d6

    SHA512

    446e8a7da3ba207abd09b1e9eeb63eaae9ea4e51f800066de7c1c032bf067eb295d3ef3a612f6020cc067e41fbb9fbf51dcce2b38c0f9422f7a25baf1129b633

    Download Submit

  • memory/3096-24-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/3096-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3096-28-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3096-27-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/3096-29-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/3096-30-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/3096-31-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/3096-32-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/3780-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4204-12-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download