Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 09:25

General

  • Target

    08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe

  • Size

    334KB

  • MD5

    a028ad301750d80f90286320c4447dd0

  • SHA1

    d21f9b6e7516b5af96caaaaf600f2cdef94fa9cf

  • SHA256

    08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c

  • SHA512

    0d31a15091e37fe85b65b16dbc4bc8adb6f66987913824c160ab708047d51a3f96fa946a6553705cd4b39bbd9709c2d238950719e5ee14d2e0f82a9db23efdba

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66cix

Score
10/10

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe
    "C:\Users\Admin\AppData\Local\Temp\08aead7273082b7d71818151a30eb3b88a53a7363fa014b7d250ec98e31f273c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\qimuu.exe
      "C:\Users\Admin\AppData\Local\Temp\qimuu.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:424
      • C:\Users\Admin\AppData\Local\Temp\siamp.exe
        "C:\Users\Admin\AppData\Local\Temp\siamp.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    340B

    MD5

    bd79dbd44d14f0b3f15d726bb37ead07

    SHA1

    8060d0306339115bde5b55889fa238dbaf1ef34f

    SHA256

    e675fb7c52d8d4c380ec2ae263b1284d5eab2de83f24322569490fa7ee024f62

    SHA512

    5a3d7b5703ab9318d025c0dee399fabb368731c08a9798f92b226ea6fc3a980fe863e39d31966a01e4135526a71558287d7f846a162386ec6cc1eaf83f430311

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    fdc5aeee44cd592f886da39c0dde1931

    SHA1

    420731aea99e27025637c3c70401b885c1ebe14b

    SHA256

    14977ae085980d72291a77c0a98a05b856bf021c93eadd43d7d1ac5f0ea1f5cc

    SHA512

    20501ec04484e83155158fa2d88b46fbee93bc5c3947367975318f2202428114c07559a053593ba0d7d1984b8e65b239aacb7c6700eb2a9f0f4fae713c286c9f

  • C:\Users\Admin\AppData\Local\Temp\qimuu.exe

    Filesize

    334KB

    MD5

    59fdbe2161e64bf2e21cb1a657f8c28a

    SHA1

    1ab26b7f72411b75513ec5846d47ece57561bdcd

    SHA256

    ff9dd95bde408e0c6a143f76b082ac68a4e3f379cdab0fd47d97386760fb3e9e

    SHA512

    ac95c24a1888362e0cf18ce2a5ba816da5db9d79edc89dd48f78f2858dca1f3d41ec701c960ac9af79f1db667926de88b8f5b09115edd3b6749b85815f703711

  • C:\Users\Admin\AppData\Local\Temp\siamp.exe

    Filesize

    172KB

    MD5

    2e7fb658e118a29dde0b2c30e8c67108

    SHA1

    0a68ffda5b87d776589f61c9fb311629f2e75c95

    SHA256

    1c7116dd1ff5f1cc93d7aeaaac6649ba3ccab3e71146e794be97525ee14ba0b6

    SHA512

    9ef9eee8ec80627eb09270e319d46efb97460a31a104f900ab5e7b789c2542a13658ecebb3d34d51423e88923440ce093017497efccb0fc9a01be15ae8b6057c

  • memory/424-20-0x0000000000520000-0x00000000005A1000-memory.dmp

    Filesize

    516KB

  • memory/424-21-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB

  • memory/424-11-0x0000000000520000-0x00000000005A1000-memory.dmp

    Filesize

    516KB

  • memory/424-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB

  • memory/424-44-0x0000000000520000-0x00000000005A1000-memory.dmp

    Filesize

    516KB

  • memory/2148-0-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

  • memory/2148-1-0x0000000000920000-0x0000000000921000-memory.dmp

    Filesize

    4KB

  • memory/2148-17-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

  • memory/4496-41-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/4496-39-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

    Filesize

    8KB

  • memory/4496-38-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/4496-46-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

    Filesize

    8KB

  • memory/4496-47-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB

  • memory/4496-48-0x00000000003B0000-0x0000000000449000-memory.dmp

    Filesize

    612KB