Overview

overview

10

Static

static

3

8101c1fede...16.exe

windows7-x64

10

8101c1fede...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 03:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe

  • Size

    334KB

  • MD5

    0a08b52fa7d91e9475ef6f51e3485897

  • SHA1

    5ee172a5004107e4c9e799512916c2cede15946c

  • SHA256

    8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16

  • SHA512

    2a75e92ee8e3f559e6a2c727746dc80a5227f4043d6881cc42151b39c34cb1090229c4ae0286a8ce7350e54c681f94589f5a6a8faea6afa88773d1d725eb6a01

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw+:vHW138/iXWlK885rKlGSekcj66ciV+

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe
    "C:\Users\Admin\AppData\Local\Temp\8101c1fedee09f7b280a2d5e509e00ce438d5b8bfdcbf8dd45b921b8e5c7dc16.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Users\Admin\AppData\Local\Temp\hycot.exe
      "C:\Users\Admin\AppData\Local\Temp\hycot.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\yctaq.exe
        "C:\Users\Admin\AppData\Local\Temp\yctaq.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3576
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    6f7b7a8f89495df2f21696848c2956f4

    SHA1

    53ce0ee385cf843e8b0f8749cdaaeb1e8212f13d

    SHA256

    4f60af66e78d9e66006a323ea6947ea15c1d6e9b6161c5c4528eadd6e0164603

    SHA512

    64cde6f881bf6a0a726be814a678eb08f1e84548b77356fb4fcc8a53fafa74754275e8e630342f9c5b0abaa7fd7d8bb37c05353d59c33b8e83d8909280f48e42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    ac1c87599baf576651660486f7fcdc3a

    SHA1

    a1d3f6c0fdf4afd36b085e45a589d2807d27fb35

    SHA256

    ffe35ac2e94a5bdfa24969f3fe620e5f62310ce28b3400dacc060032f04857cf

    SHA512

    f2613eaaeda80ad4501c4a793962129db2dec3eac83c08318302f1aaa7669acca3f22537760c41f16902d7f63e968cef1c05802372586276aea38ef0c1ca4002

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hycot.exe
    Filesize

    334KB

    MD5

    76378c30077cfe6929ffa6f378dc961a

    SHA1

    a993ec744e227eb9d50bf76e0e659224760eec23

    SHA256

    2c3ee8326913a391742b02436cb901884ff19181534d8b640df07026dfd0ca6f

    SHA512

    08108892416f1415e5a435e6456c8442c449d151ce110151caec05cda98ca57d75121316d8891cdf95e2c7f88112a5bd417ec06dbb6e7bdfec8dcf204c004966

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yctaq.exe
    Filesize

    172KB

    MD5

    a4c4e302572c69609641963f73261ad6

    SHA1

    3ebabf266c755531922d3a958d072f8aa5b79e9e

    SHA256

    53e216a7ef597fb70abbed0547c15b6395fc92b616895fab6ae2313e04256136

    SHA512

    a6b829111e678e7de4529987079113ada46316189a0d2c782f7a65ee6fda971c9e8dead5840d31e137e7c8d05836d40d26f31874d28c8185d0f56ef4b5699c4d

    Download Submit

  • memory/2568-19-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2568-11-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2568-13-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-42-0x0000000000C80000-0x0000000000D01000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3576-35-0x0000000000110000-0x00000000001A9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3576-40-0x0000000000F90000-0x0000000000F92000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3576-37-0x0000000000110000-0x00000000001A9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3576-44-0x0000000000110000-0x00000000001A9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3576-45-0x0000000000110000-0x00000000001A9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/4908-16-0x0000000000240000-0x00000000002C1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4908-0-0x0000000000240000-0x00000000002C1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4908-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

    Download