Overview

overview

10

Static

static

10

cf8c49870e...52.exe

windows7-x64

10

cf8c49870e...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe

  • Size

    555KB

  • MD5

    49578e06b681e1ad56ca5fd417aef0fb

  • SHA1

    e6cbb060c5ab504f2ec3f2cc2f621eaed907727d

  • SHA256

    cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52

  • SHA512

    75f26a3d205875d322337b5398b8627e77690d8c52f8db73e4391b846d0101f8a1fc4569d3d7ba0b209d7d8af1a2c730dc59f0f4f0115da1ed7460e879907471

  • SSDEEP

    12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY

Score
10/10
urelasdiscoverytrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
    "C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\qutef.exe
      "C:\Users\Admin\AppData\Local\Temp\qutef.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Users\Admin\AppData\Local\Temp\mogoe.exe
        "C:\Users\Admin\AppData\Local\Temp\mogoe.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3340
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    16f866800d1bce0d461c4bf1d5cc826c

    SHA1

    dbdd17e36e972d424cd619b2deca408138b4a533

    SHA256

    f5422ceeba01071192926f939989bfd89156fcaa4cf7f586897de881ee34b1c8

    SHA512

    5dd2deb742a6250871301e90321cac04eba0fbc8e009bd506712159646a00e327f97efc2c2c3461ca2d325e151e0af7a4f739f22613705eb889faeb8b5b7acfa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    6f39ba8e707421eeb84ea4fe72e47c23

    SHA1

    891421e27d9bbd1034320fb22798aad808f878f9

    SHA256

    aea91ecc80e1c5d9a5c1596ace63ddb925bc57c84d0596905f080107414c0e7c

    SHA512

    905bffe9b477941165dac5d44941059fc49578ddd855d558ed749f988a3b135b99b5df152c2fd38b21ba408c32939dab33114f16ef084944aeefca4059f14c91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mogoe.exe
    Filesize

    194KB

    MD5

    ac2c559275692c462cba8dd76b3d3478

    SHA1

    7e4b8cd5049237eebf2b9fd493515c4eb4dbc0b8

    SHA256

    1e17df1c9d9a39d03b602b540a997e770934cd0845f4f57ac9af57864891cce0

    SHA512

    e69cef84e6ea8bbafc8c0af8e9da6bbdd9fc917c0c7605320ac4108dcfd172b6e4acfc4d65dc39af753f8336ac4409ae1728c6f43f85d87707e24b8e397e8429

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qutef.exe
    Filesize

    555KB

    MD5

    7f1030665a58635d2e33695ca60ea185

    SHA1

    cf1c92cb52d7150b0372fd96e18ab92ec2d80c3a

    SHA256

    00180378061edaf84c24d3a1545f8e3c1c593b4b2c605519f4408ac185d8cbe9

    SHA512

    c2797beb4a882c481d99c2eeb8aedceaa8e7a31a262cd02cc59043ff1b62a00777f1c97e413182ac34a3aae54c770afbc529587afed0d117e42d8d58609bd46e

    Download Submit

  • memory/3340-27-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3340-26-0x00000000001D0000-0x00000000001D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3340-29-0x00000000001D0000-0x00000000001D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3340-30-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3340-31-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

    Download

  • memory/4456-13-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4456-0-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4908-16-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4908-24-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download