Overview

overview

10

Static

static

10

871789dbcf...cc.exe

windows7-x64

10

871789dbcf...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe

  • Size

    403KB

  • MD5

    5551ce6e7f9a167a8f778a1f82714473

  • SHA1

    e8d1facc9f1e727241ebdf17fb1923062af51302

  • SHA256

    871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc

  • SHA512

    2af3f45139ddd63b73fc49e7c1e4366af5f409d699c44b65e1af00cb93173a87bec790ac2ff0d90b03fe6e3ec7a583a2dd675adb79bff8d1083ec325f386d05b

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohS:8IfBoDWoyFblU6hAJQnO0

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe
    "C:\Users\Admin\AppData\Local\Temp\871789dbcfc9cd983c06321d1cffa959217e526e4b3a4a43f7ed98c22914c4cc.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\zehui.exe
      "C:\Users\Admin\AppData\Local\Temp\zehui.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Users\Admin\AppData\Local\Temp\ikcysu.exe
        "C:\Users\Admin\AppData\Local\Temp\ikcysu.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Users\Admin\AppData\Local\Temp\rehob.exe
          "C:\Users\Admin\AppData\Local\Temp\rehob.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3480
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    d0bb18121cc6b32c7439d3880d2b582e

    SHA1

    8c0c8aa68e616034aa8a4e38e483ba6937c384f9

    SHA256

    9f4241ad19f0e5ad8d0797a4c38b1528d9155814e5660097fabb67e578e08a8b

    SHA512

    042026e8643b029acf6152141cbca24d62df1f5ce2ca99af5e24d5a8c438b70f88b3e5c9c39007b289f6957697a2d8a6b049f211a1017cd42b24f47799ea0c12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    340B

    MD5

    badd143fdd91d805450bb931ce52d26a

    SHA1

    9620416cf7b868d2138ca8847be34f715d4976bf

    SHA256

    83f091ce4dcea45716afef483e5cb26e86a86da7e81b1ecf15eaf10f3480b421

    SHA512

    fefee21534490f435a07c803e62a07407db2bb6fed90becdb4254a6c79bbf90b5a29b90bd475e4b7eb98b10961b3ced62002d2c852f69d023a51ee71ad7f8d54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    e94d7a06650170ae1b27aba7a53e9dfc

    SHA1

    aaef54adeb2ef768f765bd30104f2dbf1406e349

    SHA256

    d739827a5a6061707fc0ebee5c7ea011087fe061685b3942a8f20c5b67baec63

    SHA512

    3219696b41b25f1347e50efe5efd75cda11d50d40e26e6f1865241922df8666b6447c985e1491dd0f291b73c1eb2f67531d5b85aabf481f7e65f8ac4d69d7a2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ikcysu.exe
    Filesize

    403KB

    MD5

    fed6c1aa256cadd0c47dca8dfd247fc4

    SHA1

    6772aa2b54c991c2fa46466e89e348b4329a9dd6

    SHA256

    4a4ccd22dd86acf81797e9bbd9b38db2cb40b42e00fe5d0955a97ea6e7f73a72

    SHA512

    0c802c1da1fa2a3ef2172dc922cc8ac3f14f38365c4042d1f5d1f4212ae5f6c128fc93a12f978659abc7909259482c95487ba46e7fda785a72837ad6f625d647

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rehob.exe
    Filesize

    223KB

    MD5

    af40367eb44869f52f4e4109b37fe461

    SHA1

    cfb2b71123f5e0c0951d0ecc3a5616b8e18901de

    SHA256

    587798edaaa7f1572c1881b91edda9fed61274afb8406a6b04d03d2fd7b1585d

    SHA512

    46ef32f4983e733167d3515dda5b5a374c1038b72cb9e84bfcd1148c3534cba8d73bb8931c5a0a30b26cf7ddb8ec2a69061dff05761b863bc71871784278cd40

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zehui.exe
    Filesize

    403KB

    MD5

    fead5a825695c6282fd77ba1a5e5a8b7

    SHA1

    5021d47374d3cafc51cdc3b6fe078feb44ab6b8e

    SHA256

    a62209e97144e424f8358b053bf7697d997e46cc072493b050444d9cd50ba598

    SHA512

    f36dadc5d2f2386c8775c379100d5ee660bb2989a65af41f8de7878016a40bc6264983660d5c6f3a810578d17e0185a7a00d5433ea13022be7fd9deafa7a7c76

    Download Submit

  • memory/756-16-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/756-0-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/2812-26-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/2812-39-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/2948-25-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/2948-13-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/5060-37-0x0000000000470000-0x0000000000510000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5060-42-0x0000000000470000-0x0000000000510000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5060-43-0x0000000000470000-0x0000000000510000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5060-44-0x0000000000470000-0x0000000000510000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5060-45-0x0000000000470000-0x0000000000510000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5060-46-0x0000000000470000-0x0000000000510000-memory.dmp

    Filesize

    640KB

    Download