Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 11:27
General
-
Target
16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
-
Size
332KB
-
MD5
c5105fd9f1ab2ad22f450fff55d33143
-
SHA1
e68a07e75bff28a4bf27567dfdef8bd519fb8a5a
-
SHA256
16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662
-
SHA512
de98bee6a670b9b7e787e50786c75feecd647b3cde1dea6d01105f32b3271c61c4fbc881e7609f4ba33d0e36156117e430ab6f532e030c4550eb2147095f1670
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66cib
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe"C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rokuf.exe"C:\Users\Admin\AppData\Local\Temp\rokuf.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xozyd.exe"C:\Users\Admin\AppData\Local\Temp\xozyd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5f82b5e46ecc7199a4d77265ab29e761f
SHA1471dc7642de247841861ef0047e6e73fe6e0509c
SHA2568a106558acbed72ae6114bc0d074af4570578010fffa14854c5f703466ebd300
SHA512bec787feeb03ebb2cc4477ffa405f3f39cdb02a85c134462f4907128c7fa82532c5a83ddd39f7a26a9b9a8084fb65ed2d7ee7d63e42ec779c7c63a3a89fc13b7
-
Filesize
512B
MD51ebe69f4e62b736c977d4cbd13660f55
SHA11aa456cbd34ceb594ceca0d5a398c5b9f30a5b88
SHA256af96bfbd76980a331b635cd7869fed1941c84ea12fe0d746873150f116e0e402
SHA512c0e8c6ca0571d26c229da8e41a935c712bf275621c9a86f5f432095541e78a3793691d709eb7f2a1e1a7c2d8fd09142acf4cbf88f5dda7a68fda08735417bf51
-
Filesize
332KB
MD5b4a2f9cd4cf728f63e0af21794c9b889
SHA11a253bb7a7cf30413c78fbe7a433c26d2667bf66
SHA2568018dc5419c76c9b7834845ff37ea418b27e12bf43681c3265bd0f1f4066912d
SHA512ec8e99e781da347de1fa6c3f55c6190bc8cb76cd63d977d872e2f947b4aa720c7f4cabf1672e9edc7c404cd85ee53f3eff356a67cfdf951079e764cc00582952
-
Filesize
172KB
MD5c8c5951ac99b7e8b2b1dc6eecbefe855
SHA195f344400da686bc059af815b91a960861db4e2a
SHA256f1f1c7133a00a3a9bbcccf8069891792d8c4a3a8fffef114a7cb3b798345f69f
SHA5123ccc3dda0a746484c8801d20052a492ed869d50ef202204aa11a5470b02287b8ab70ec95e64ebb6a777151413ab519a23887e5ce7210c38a47ca286da721544d
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB