Overview

overview

10

Static

static

3

ff6a40f79b...c0.exe

windows7-x64

10

ff6a40f79b...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe

  • Size

    51KB

  • MD5

    21301ab6a0336f6a17eb12762538cb4c

  • SHA1

    41c8a1d774c3530883cd8acb2881fc86a4aa6bae

  • SHA256

    ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0

  • SHA512

    234889892eb2f33ec1d504afab11f80819f6eb34a271a82ef9a7862d699a11c021fbd14d87eaacc3f8aa16ebffb2155149e57c4bede241301806f121d5d3e609

  • SSDEEP

    1536:h+Ds6ClDXuqweo/0khAUnJDgabGsVy6umfFlPhPo:KsdXfBo/DBJBGzkP5Po

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.28.139

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe
    "C:\Users\Admin\AppData\Local\Temp\ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\shoste.exe
      "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    f51c1462254f3bb8aa00201af0b0a030

    SHA1

    60d3c892bb5c4f654c318451012f936d81164418

    SHA256

    695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5

    SHA512

    41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
    Filesize

    338B

    MD5

    5c097bfa3c8a379c070b1a53006a9060

    SHA1

    8b8be2479a0dc2b353540f7e699ab91fb603f1db

    SHA256

    1679c4e6fd29576a17ef28d6c41859f8582ebf70aab783acdf2fef1f035cacc4

    SHA512

    d93556917c6d5e816a6656e8d5afa0ea4ac31a7477b24731d00bf7c4bc8ccf561c1d212fdf2e40c4adfd606c4f3ece4802e8d6c32f1b3428a8d25d98d8d67264

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\shoste.exe
    Filesize

    51KB

    MD5

    cb97029f4a0a4e53c2e6163fa551175a

    SHA1

    192d09ce9778dd1bdf2fb94012b1adc3b6d274e3

    SHA256

    ece47616a5d871bb5dc41e4732d0149dd24c33dc1e54700ccf34076e4219b17d

    SHA512

    65f272e1137931fbf7e744fb5753b94bef679b6128362faa0415dbab34a417cfe7e8eca5d220615c507d33f26a0f3f4cf5a87d591d0a8bbbbdbd1542ef4b2857

    Download Submit

  • memory/748-12-0x0000000000670000-0x00000000006A5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/748-17-0x0000000000670000-0x00000000006A5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/748-23-0x0000000000670000-0x00000000006A5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1984-0-0x0000000000460000-0x0000000000495000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1984-14-0x0000000000460000-0x0000000000495000-memory.dmp

    Filesize

    212KB

    Download