Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 10:38
General
-
Target
4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe
-
Size
333KB
-
MD5
069769a12fb926841c133bd19fa34b30
-
SHA1
9904e2fc59e715aecc1540f459b248a74969334f
-
SHA256
4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30b
-
SHA512
ffabbb37b6a2d2264fa81ba5da6f489372db858cbeadc6185a1644a854ee6d0d9c37b5f93aa15b5f8480d632c04f36ed3ac7deb95854479985d2fe1d48476920
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe"C:\Users\Admin\AppData\Local\Temp\4c641d122f193e8d0b37e23c679b575c5f4181adfc0b54031e60264e1c32a30bN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uvose.exe"C:\Users\Admin\AppData\Local\Temp\uvose.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jizuw.exe"C:\Users\Admin\AppData\Local\Temp\jizuw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD58f3321bf544322e77845fbb684c302ad
SHA1280ad5cd953f1350d05b38de6ad8b8231cf461b8
SHA256b9baeafa70d1f4e93eba4817536b9acbf60d8023638d9e94cb39a64baf6d4329
SHA51236be1640cba4892da8b4c5bfe85a24a27e8f68c239db80b645cfd8206ec36792fb1eeed8c8d20f68a15e8eb6ec91c459ba3d20ab31969b076dc5eda9d2fbb3ce
-
Filesize
512B
MD5fa4499e108e685104c093226ee5b9fae
SHA1b783a2abe2dceca260a4bb1c5fc1be79e43e242d
SHA25659a35e4b0e35fbd388e813ff75a17349349bed7bcea7d701b971e6dba47c27a1
SHA512cdaa7eaa58b11e018c13eb600e5fd0fe27753069ba54cf3a2d25ffb09539449086c241b9f65ba70030dc9488bdc8aa3afae6dfd5fc95efd0e6fe3720234c73a3
-
Filesize
172KB
MD5677ec43573798ba46ccbf74fb1e765bf
SHA13d88aed30a440f6b3c87dc9e91d3d33ac275b870
SHA256c2137eadd45d411bfb08d62ad9a3b3ee85f71fbdebb88ac3cfda25017cce3b92
SHA512dc8d6bfba33d85bd61e2ca4959ea969498bf00d2912c090e22a206b75ca406831208c2821c8939bfd956a5589ac2742b0884283f55afb27e510bc49ca9d80e8b
-
Filesize
333KB
MD574a5774214395464323c1b9fb7125bc2
SHA14dfd07a2b92dfc026a4063439c9c7a018f618749
SHA25658f79a669c4d9d5838e7613ac877a5ccac864e0ac6ebed37f67d20aa50a5efa3
SHA512fa9c44e526ac8a8080e0f64042cfa0635cfcacff4a78c6e0fe315bb00f2892307280972b0fff573217b2c5e2bcaf5f35471bece855c81964d68806409256b98d
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB