Overview

overview

10

Static

static

10

3c1148435f...eN.exe

windows7-x64

10

3c1148435f...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe

  • Size

    427KB

  • MD5

    e648b0635d12efb3ec00cab6d95b8e40

  • SHA1

    828a988cc7fe85f2d99a8e4d3eee765ecc50d5c4

  • SHA256

    3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48e

  • SHA512

    b61eb200dbc3b4fa2a133f31575d91a182fc37b5906306a1f1678bd2f8101581604a7c36e5c2a278180b6350e7d0ed3367a9efabf502a3c1b8a6fb18674844f5

  • SSDEEP

    6144:EKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fkKG:vANxU3VH1t19MsAlpXZ

Score
10/10
urelasaspackv2discoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe
    "C:\Users\Admin\AppData\Local\Temp\3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\evgud.exe
      "C:\Users\Admin\AppData\Local\Temp\evgud.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Users\Admin\AppData\Local\Temp\xovik.exe
        "C:\Users\Admin\AppData\Local\Temp\xovik.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3652
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    342B

    MD5

    880dbeb79cd26cd0cff5c79b950bc855

    SHA1

    9f3e1ea7bae694c9d1efb10c92996357ad094bc5

    SHA256

    4a3a8a623aca8fafb6d49d51e48da54155c0c58fea7967413f9134ed2db28000

    SHA512

    05cde8764a19e3e8d9ca4e657f5e7e30272a5d4e58d44d34a0e209a4023c83a64b2980156bc5d30510438b2d7b107b939a286e4f8fc0c73a8798bebda17f739d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\evgud.exe
    Filesize

    427KB

    MD5

    2941e6f9daae3aa457bdde850b94cea5

    SHA1

    c183cbb950e7196d351c22b2c1b595626c405afa

    SHA256

    1df13ce7211e1abc74449db0de48ee12fbd4287975612b67445469b80c320e75

    SHA512

    75d6f26794f21b3d6347f1d5d1f104e5d3ecc5ff5766fd17fb62593899fb92defcdd106180c2f6c5cdb560ef14e59d30423b30901ac92b41f7a19c3b11e60ce9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    7e0390d008259a3405c67ec41335ad6d

    SHA1

    73babde265322cfc6a4257db8302b1e1ea1a87f1

    SHA256

    391dba491eaae6c5518575e7844024233931e0850e83ddbc84e87b613528de22

    SHA512

    b7685d143855f3521a938d5880e03345aa78676e241bf4a7a9f0ff35e3e2a491083069e55e49f9c932c2ff25605d7c49fa190ea4bac6ffcb5cc2ed248cfe1ba1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xovik.exe
    Filesize

    216KB

    MD5

    61c981a03e93fc7a6c12924ad97cf3cb

    SHA1

    c70117a171b64c054a360f9a57517c9688c84635

    SHA256

    b4881706f0ab0f258ba572d45c71c84779883effd36d7119b374f7f4eecf7033

    SHA512

    59c5183b4e24d25fe1078ee06c937eab1ffa6d6281bc9608b3d8f3e313470eb8479b5654d0a26e8d368939eda567ddd30efa728bffba2556f2bbf8d1166bbc8b

    Download Submit

  • memory/3652-27-0x0000000000D90000-0x0000000000E32000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3652-33-0x0000000000D90000-0x0000000000E32000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3652-32-0x0000000000D90000-0x0000000000E32000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3652-26-0x0000000000D90000-0x0000000000E32000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3652-28-0x0000000000D90000-0x0000000000E32000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3652-29-0x0000000000D90000-0x0000000000E32000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3928-17-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3928-30-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3928-11-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/4876-0-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/4876-14-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download