Overview

overview

10

Static

static

10

7d8b01e278...14.exe

windows7-x64

10

7d8b01e278...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe

  • Size

    463KB

  • MD5

    e0ada6ad8b630e3a025fa62c846a1346

  • SHA1

    84132766b6ecfd33760c40ff23f9abe286902944

  • SHA256

    7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614

  • SHA512

    b4afe28fcae4fdc29be8aef9c3c73d35e78559cc4117922850c6eea71b506b87ce8b2b518c24497c8d5654227217f21741e04f74022cdcb00062d2765a25425c

  • SSDEEP

    6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpms:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsu/

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe
    "C:\Users\Admin\AppData\Local\Temp\7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      "C:\Users\Admin\AppData\Local\Temp\sander.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2908
      • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
        "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
        3⤵
          PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
      Filesize

      341B

      MD5

      4f2d8dd0ff0913366cfe1cc6f9758921

      SHA1

      c8fa363f87cc0fb225c3a954c9f72860424b809a

      SHA256

      67de4145656a5bdd3e986e1256391fd360fc93df3bcc584984c990af11c1eb0b

      SHA512

      32228b6b20f1d6b7834d19f3a6442896edc2c9a63faeed19f28febf6bda7b7062218678aa8c967a5262b0d640d1181af47f777fcc38f42fe229a2b20b9c6c84d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
      Filesize

      221KB

      MD5

      3ebe4bafb8c01e4a2418e631a0129690

      SHA1

      a7a91d3fc5d8ed8f4e77b4dee4ef1d6ed2c9913a

      SHA256

      77982f0d95b3c59ff67b19267d01e970f6e80c247da89e404de7e98ce3d370d1

      SHA512

      15d9c9a35110b3b1f9007158181c547a5597801c8ab9b722b7d81b61aa35c83d2160a2f4112d1cce0787630d4f4722d7ca404b9fbf2d349d1871d0f41456d633

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      04113afab96ff36e7da4cabf336079cf

      SHA1

      2ab6a01f123c1ef4227cb134612749b67a237bf6

      SHA256

      8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

      SHA512

      68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      463KB

      MD5

      6fe1693bc61aa4af8be22d357171a293

      SHA1

      8b1563d8342da73a88afc2b90a0639b70057cb97

      SHA256

      c235d61984412b86bf9ac4abe02984832b850d655ba9ef0d7d71dbd40a5532fc

      SHA512

      9f3f48ef078e84f38058c9ec9420485ab38215b1b3fc5a3fe6691e99c316060f36f0e085fb83d3d8ce33c08e839d4ff9a6dd3f29d5e78dfb516a27f510cc56fb

      Download Submit

    • memory/2524-31-0x0000000001370000-0x0000000001411000-memory.dmp

      Filesize

      644KB

      Download

    • memory/2524-37-0x0000000001370000-0x0000000001411000-memory.dmp

      Filesize

      644KB

      Download

    • memory/2524-36-0x0000000001370000-0x0000000001411000-memory.dmp

      Filesize

      644KB

      Download

    • memory/2524-35-0x0000000001370000-0x0000000001411000-memory.dmp

      Filesize

      644KB

      Download

    • memory/2524-34-0x0000000001370000-0x0000000001411000-memory.dmp

      Filesize

      644KB

      Download

    • memory/2524-30-0x0000000001370000-0x0000000001411000-memory.dmp

      Filesize

      644KB

      Download

    • memory/2768-9-0x0000000002430000-0x00000000024B2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2768-18-0x0000000000F50000-0x0000000000FD2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2768-0-0x0000000000F50000-0x0000000000FD2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2908-29-0x0000000000050000-0x00000000000D2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2908-26-0x0000000003010000-0x00000000030B1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/2908-21-0x0000000000050000-0x00000000000D2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2908-16-0x0000000000050000-0x00000000000D2000-memory.dmp

      Filesize

      520KB

      Download