Overview

overview

10

Static

static

10

b3b641b811...c1.exe

windows7-x64

10

b3b641b811...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1.exe

  • Size

    592KB

  • MD5

    e0f1f0356574f89c4f18cb6e0bc85d47

  • SHA1

    23fbdb249badb0c65cbec60a6e776d19d332d2fb

  • SHA256

    b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1

  • SHA512

    085d2cfbc2791bc97ac701e915f1d42b7bc7ceba58723b74a67825a426a05e718fbecc0ac8861c7f155d0377d02aa7a5bf2489ce4303ade0980d30e3772b9559

  • SSDEEP

    6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRo:C4jm0Sat7Az/gZvTIq2WKkw0F6

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1.exe
    "C:\Users\Admin\AppData\Local\Temp\b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Users\Admin\AppData\Local\Temp\ahqyp.exe
      "C:\Users\Admin\AppData\Local\Temp\ahqyp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Users\Admin\AppData\Local\Temp\opmos.exe
        "C:\Users\Admin\AppData\Local\Temp\opmos.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    d7e63a39a234e8a281437e79d22dc1b7

    SHA1

    f054205d879db10d0cce25ac13125dfd0c1e7456

    SHA256

    3c6bca6741e99b40635ff1921300e44e5f26788c1248bf883903223135db29ad

    SHA512

    a1beefd9bd66aaa6ea66f0b88d96289827b47d8d060196daef6254d2419cd336ce842bead32e2d4cbddebb8cc6007f8200283027b36fc73c8c09eccdc498fda1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ahqyp.exe
    Filesize

    593KB

    MD5

    771508f8f378c6817ddd999f0257c7bd

    SHA1

    2a70a02d6368be8bf2e36a51e1cb6ff4d3c7e71a

    SHA256

    eb2e0db77e55a166dba7c5ecb1426dcbf307a015a2a73296a23678f72b6f06cd

    SHA512

    3416d69ad6e72eb8b6bb7a097ebcfcaef19f5a3a8550195d17217d723e0d5e07ea27dba230c128d2d40df458238a1779b59f1a9aa91062d2c1fa66b2f53d68f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    7456714b22f19ce94eb029ce8df9c5a1

    SHA1

    04c7a00fd72e237d9919b3b38a4659c2afbb3324

    SHA256

    6e219cf1d01242228795e810c2a696eea46932c43d243195b4bb4bb2c8a96dff

    SHA512

    772398f42911bbdc6d33c9341f2964271003aac1c9f0d774b6bef521666d8c3babd20a274a7ca15998764ba9421b6f9faf4c2f575b2439fb3af535ce56b14aeb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\opmos.exe
    Filesize

    323KB

    MD5

    f0f5291ce815f0c856865ecd4188fd01

    SHA1

    a00f5fc401fdb192a6ed21243afde0a5b6f5876e

    SHA256

    edfa371a516192847abdb467aa556c5b6c9066fe7f85f529307c5dacace1e9cc

    SHA512

    54b8f4179b7d65e641b55a7c96a59d719074e5761cdc5f843dd49bad969512fa31e09414739ae5cfb346cf38e37f9895bc0728c7999f16630dbaa68ba4c0a002

    Download Submit

  • memory/1528-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-24-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1528-28-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-27-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1528-29-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1528-30-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1528-31-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1528-32-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/3108-11-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3312-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download