Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 11:12
General
-
Target
16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
-
Size
332KB
-
MD5
c5105fd9f1ab2ad22f450fff55d33143
-
SHA1
e68a07e75bff28a4bf27567dfdef8bd519fb8a5a
-
SHA256
16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662
-
SHA512
de98bee6a670b9b7e787e50786c75feecd647b3cde1dea6d01105f32b3271c61c4fbc881e7609f4ba33d0e36156117e430ab6f532e030c4550eb2147095f1670
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66cib
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe"C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tylow.exe"C:\Users\Admin\AppData\Local\Temp\tylow.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tehos.exe"C:\Users\Admin\AppData\Local\Temp\tehos.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5f82b5e46ecc7199a4d77265ab29e761f
SHA1471dc7642de247841861ef0047e6e73fe6e0509c
SHA2568a106558acbed72ae6114bc0d074af4570578010fffa14854c5f703466ebd300
SHA512bec787feeb03ebb2cc4477ffa405f3f39cdb02a85c134462f4907128c7fa82532c5a83ddd39f7a26a9b9a8084fb65ed2d7ee7d63e42ec779c7c63a3a89fc13b7
-
Filesize
512B
MD590fd435b236208fa71835369412ce1a4
SHA179dab955fffa2866f0d0f30a125ee7d4276d3e42
SHA25657c834472c8cd48ab3ad3f65cd0dcaf2be3eea0ff25b6b45e7a9e12bbd52d375
SHA512ddd5f5def1eff3ac7e9c8184ef1b99c190d456a3e70951a322357e594469e239ade7259510567ee2498e8f766d45b61f82e5323f211b5cfb80855b807b81ff2f
-
Filesize
172KB
MD5fe891bc5a7d46a2ddd789aea5ec73091
SHA1268a38df1042bcb4beae46e5c5f63a08d3826367
SHA256adf385698752844ad701def43f00c9acc067fcdeaa34c16780a7016b3ad99203
SHA512409e48ecd5ecafd5eecc4b0be749a2e12c3eca15fabee818ccb55b77af764f2518acea0be6f1c3b9a426ae9340c7a87be9190f60874d41548102a19b3dfcd446
-
Filesize
332KB
MD5915a3e523d348100aed3a6a5f3761245
SHA1161b419a35b6ee9e16d8ad90845ad279e88fef50
SHA2565e4c2f9897fd743edb64f89838795c9341a4f78fb4e27774db67de5c8ab482e2
SHA5128dc31604192b9babb8ffc6099cade5625b92f0ef94e79c657a5863805ef7cd447c3bea5add790cbeb004c780ff48b0ff62b264fb09ecea80a2ba17a9099bb148
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB