Overview

overview

10

Static

static

10

bfc08bf1b6...aN.exe

windows7-x64

10

bfc08bf1b6...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2024 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe

  • Size

    411KB

  • MD5

    aa97dcb39873e4a80aa2063724ee96b0

  • SHA1

    bb5475dd2c5554a9afbdc14256fafbbec8fb0bda

  • SHA256

    bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5a

  • SHA512

    d9735c5123c29b148f3c47ef94b854c29649e16516d5593f5ebf1f29d1b9a0062ba5dbef6e008e1b7ba1db7e1d0c0dcb5ef60ec6ac7f3873efd9175c915288ad

  • SSDEEP

    6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOC3l10:oU7M5ijWh0XOW4sEfeOWK

Score
10/10
urelasaspackv2discoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe
    "C:\Users\Admin\AppData\Local\Temp\bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Users\Admin\AppData\Local\Temp\gafap.exe
      "C:\Users\Admin\AppData\Local\Temp\gafap.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Users\Admin\AppData\Local\Temp\cuseq.exe
        "C:\Users\Admin\AppData\Local\Temp\cuseq.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3936
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    342B

    MD5

    919ee717ce10c9512526d943d900af50

    SHA1

    1a8a93e78aaefb771106b590015451584cda802e

    SHA256

    ea905a861aba1abd52fa411ba61d3a319bd3be808132e94cb1c06f14c4ba7153

    SHA512

    7459119293859470f7f05fe200cacd584e54c7aed6d2a25dddad9369fd877e1432a11ad22254bf9d8b5a7bc2cb38973b1e6c96785c1498a547d927354f28cd98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cuseq.exe
    Filesize

    212KB

    MD5

    2bf703903a8ea35121ba65ee70d8b00f

    SHA1

    39642498fe6e1ec6e8d9337b94eb3e758a42dc9a

    SHA256

    d8c6039745f7251f3a051f0fbc112000950cd1236fbf12cfbdb03da688af5302

    SHA512

    019411a5ee8eb872af47245e822e0374f543a815888b65e0a5e466f2a473eeff1c528d24e889ecc57960193fa62f19febe35a9f68c566a26008e6af0972006a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gafap.exe
    Filesize

    411KB

    MD5

    43b980ff108000a9eba8a23144985f4e

    SHA1

    df0c22473b1c2f023abd641f20f5263cc664a54d

    SHA256

    8a3f6470e0eedf41f90688fa26925e7ea0f2b2f945a016c742a06ece4a566771

    SHA512

    11dc5644be09cda7fc649d403327157a984eb6aad6092c6f52e3c26349697a79346891cafef6f47648924d52c2f0761f085bde9a69aafd5e4fd73158e8e8186d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    2337e1a17964bbd8dd5413ba6e3ee1b2

    SHA1

    f779d24fc945a2091afbf36cfc8fdc3f0e345c21

    SHA256

    0728718d8b664366731ac283b45c44d7862458559756028c8df147b1dbbaf083

    SHA512

    423b8e22f0c299dc4a27054999018e8056fb9345cc591c6a99e3db5daa7062f8ac66129ef7c6b13096d47c2aee3a23ebab71dc44e06576a38ff2c239f2cfc229

    Download Submit

  • memory/2592-16-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2592-26-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3252-13-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3252-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3936-24-0x0000000000070000-0x0000000000104000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3936-28-0x0000000000070000-0x0000000000104000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3936-29-0x0000000000070000-0x0000000000104000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3936-27-0x0000000000070000-0x0000000000104000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3936-31-0x0000000000070000-0x0000000000104000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3936-32-0x0000000000070000-0x0000000000104000-memory.dmp

    Filesize

    592KB

    Download