Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 02:34
General
-
Target
be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe
-
Size
333KB
-
MD5
23c77673328452fe83e7f4c9ffe44b48
-
SHA1
450b06237336098386446a853cd2d97477318acc
-
SHA256
be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb
-
SHA512
006f02d5ab0415f58223d9d4de20f11ad871df47ba5a552b5b9d8ce888f46bc0dcb39bb14a867f82cbb69f7e79819b27ea3f59fa3bf324284ec2a09c6ef8d8f9
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVp:vHW138/iXWlK885rKlGSekcj66ciEp
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe"C:\Users\Admin\AppData\Local\Temp\be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\patud.exe"C:\Users\Admin\AppData\Local\Temp\patud.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\suqoz.exe"C:\Users\Admin\AppData\Local\Temp\suqoz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD563132647d862949de071464259a80592
SHA1194a536fe3d16b8c5c7c6b07880e63a334e15e1d
SHA2567421a8902a7ae484621e09766d63f157bcaaf48effee9a67812b547a38e006e9
SHA51270d711de6db7b36c11e1b1cb35ba95e18e1df799b431da1e03d244b3b0a6045e10c565daa965c87ca393222c68eb7bee74281f3ae12d5f3f7016d8fae81d76a2
-
Filesize
512B
MD51a03ac6a7e749f4585b35618e93f714e
SHA1bba5f708fe74864da7fab7efc70520f14599ffe7
SHA2569c3681f6e5cd71b4fba810b41584cf00049c44a329296984ecdfb747af70c829
SHA5122473a0a383b81135ca76b9c7fa8170662d79516a3b4d737e89f68c2d4a4d385880e9acf607d8088f3f4ed53bd93a938b84ed9535d5a4dc575a9391f9d0dd8716
-
Filesize
333KB
MD5cf4feba99257237a230b9c95a3bd2a3c
SHA1c3407357615c7c74717c891797950b60247e8295
SHA256fd9b21ac2669ca25662ea34237872f9a77e028d13a9667dedb65a38497466ab4
SHA5128e5437d143b2aaf0d0fe9f06d8f04c4909a9479b8907b52643cbb31b6e2bddcb248fa1431b5e2539622b98aca0ed87d7abc2ea8f0dd5240028f80d6e12560cd4
-
Filesize
172KB
MD5cb9cd504ccb323c1378deaae97ffd6df
SHA1a67c01a54f6a36be84d1d7b2bffd0bb850bcf2cf
SHA25646e464b8f49a64f1e20cb00a968e2dee5a3e753c3bedc29c8596fd66e99ec16a
SHA5122eb661b0e907ac99ef6361d7ab1e5a6d3fcf16ccccb3eaaad1e60d3fa99c77fd46a344b6d81a8f066acaaf93b239b1941c2ccf816ca7c98416fe59fed5e0295c
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB