Overview

overview

10

Static

static

10

22fe8b8605...29.exe

windows7-x64

10

22fe8b8605...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe

  • Size

    621KB

  • MD5

    f61a413e1e72f6b12bafe0daf6a43065

  • SHA1

    749c7a8634e4e761c6a25beb5e9d1708e115adc4

  • SHA256

    22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429

  • SHA512

    41ea3f80938116195484ca47c98d1682541a9e1b9e9461163f5533c5f0f1ac39c913f24e7cdefb24197a90c084f3b539bf48c1a1eb92a5d86eb1db2ef0fa6934

  • SSDEEP

    6144:imbmLppYOuakYGWV5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXWyKV:ima6idv8zzkGHVqoq/gKWd

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe
    "C:\Users\Admin\AppData\Local\Temp\22fe8b86056cc28b39eed6b539e447af5ab0b036329784978a849b316e3fc429.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\odkyx.exe
      "C:\Users\Admin\AppData\Local\Temp\odkyx.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Users\Admin\AppData\Local\Temp\ahpuz.exe
        "C:\Users\Admin\AppData\Local\Temp\ahpuz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3920
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    8662a4449569921841277a35ecde317c

    SHA1

    ea04f931bfc5ab82a8c86b9d1115d76864ee12eb

    SHA256

    e305d985eecbd3c8ab73df8f335a32ef2c062af04264e5696df308846fe5e78d

    SHA512

    ccb56f421bc6231835e0a95a18b2fd18f5d78250d44a35312e85d379a7dafc61d47622a414f3e1f716890a77a777bc04eab36a4f445312db1ba190b0f08eabe5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ahpuz.exe
    Filesize

    203KB

    MD5

    343f59f2bb707997a2defaed3f2a9ddc

    SHA1

    7b62dfa5fde533c8a3e1a7867101cb8937741b92

    SHA256

    8e83cb8209b07f0b22426b3a224355dd5b8b12b4752b63e56b26badfacbf388d

    SHA512

    92145eb9141866e9d39e9865e5c70f1c960df05c9d004fccce635a2007ca9f48a1c6f8047f6ceb29efe57de07a0b70153a5a863ecf7ec0cb42442a973438bfe8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    85aea5f23227d9be9ed241fa16499cc8

    SHA1

    82f9e1e30127f771e39c40f71f2bc5e830d6a9ed

    SHA256

    e293c0e02e75177fb70a92fb36df749c0b347facf7769ab0ba956e41cbd8d22a

    SHA512

    1f834f2ea48c9c8962676e9c6beb011ea795f9ecf22216035b9463c7129db63a960fd7e98234916a3f188d86a07ee999a774e021190e75cb66b7e5ca5551f57b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\odkyx.exe
    Filesize

    621KB

    MD5

    a3f1dfe1cac87c68926401ca94bd1abd

    SHA1

    89da19054c2893eabd591bb7d816f0ee95f490a3

    SHA256

    fe387feb0d601f20cbb650b721a37bcb8d23996b6953f25a90d7f24b896930f5

    SHA512

    fdb2ff54ac291ba6fd2821567c249702fb73e4df95adc601c4686ce83919577e8c99ae9c90b1bd374f362b2084477ddb598019c0a5bdcadddba34b3385f62c6a

    Download Submit

  • memory/2756-13-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/2756-0-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/3844-16-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/3844-26-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/3920-24-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3920-27-0x0000000000492000-0x0000000000493000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3920-29-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3920-30-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3920-31-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download