Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 08:54
General
-
Target
6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
-
Size
332KB
-
MD5
9005adf6dc2001ebe4b8b45ccae3c8b0
-
SHA1
1338d6153061783232f99e6944b6144a4835a2e6
-
SHA256
6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3
-
SHA512
933431cf66acc4155c510ecd6b2603aecf4f757da8335edacf0c4e8812c72e52387479c645e6bd6b4d69c786f5903fe18e6b0f807edf9321669525ae704620e7
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66ciz
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe"C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qypyx.exe"C:\Users\Admin\AppData\Local\Temp\qypyx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winib.exe"C:\Users\Admin\AppData\Local\Temp\winib.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5710943b4bc4cb3508979b0ff0dec9782
SHA1bcffaf0cc3dc993ab846ec5de6f880721fb8f2d5
SHA256d8b9e49cc44f652a3daebde2f6d26059cae4706e59d53500dbf5074cfcc4ce04
SHA51213622271bf849268c7c24a56ddd17ad91a5ce8085f32a1b01c8ee324b642880066a03dfbc04c4c44bb94fb22ff22af0e1765d87fe8f8322a8bd54f6d51051b5d
-
Filesize
512B
MD5464550a500bbde31144af795e6ace26a
SHA15f9a832f7ada957f63d6f9e0f98e57f67721d236
SHA2562f9ab0d656d67221eff172843215a4d438e2759fba70dd1c33c3872a943b8dee
SHA5128c06c9dc343948310e1908c4d5244b5de8448ae5bf756dc76eb229a24df22cedec9e4d1c939ad6f0c973b0a2f0ab13c49a74351404e0732a3639af9c4a85735b
-
Filesize
332KB
MD5123c197ab1cbf8a0f4ded8569d5defd4
SHA1dc9c07506829f396631d3dd34570f3737c94fedf
SHA256665ae516bc4edb36060893bf64f510d14bb5310ea971745113430d951addcd68
SHA512287703c028e67468f3757e3207d2c18b43b81a10f04d146f0ef27cc3121323ddcd79a4dc86d5c64ae753d7df2bde3b5999f407e486239e18579a35020ef2c184
-
Filesize
172KB
MD5e9f2ca6f7bbec5bca2c7d90944e3deae
SHA139ec9b656fabdaf421008a2dfc4983b41187bda0
SHA25623428dbc768289d0a7707436ba2ce8d6daccb4d834ce8f7784e48da64740c6d9
SHA512d6662f236a6ca36d57f4758333276a673dc70f6b744595b3b3efb068a56bc4a5901312e1418f85c653cf9ed300f399cff196eb23b5bdd22ab33fff079d8efe12
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB