Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 05:22
General
-
Target
55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe
-
Size
536KB
-
MD5
e3baf642db69a07e28e3aec2aec78bdd
-
SHA1
6a4e2ec7dce686c77f1751f7eac33a24be8fb9fe
-
SHA256
55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458
-
SHA512
f7b64d8536d15703e91b79ea64ec775191ddc7eabfb339ac33891b065a729ee0987f622a808c518ed2fffb9fa65f3df7b11b97e784e65ec7c918023ecdd8f3d2
-
SSDEEP
12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2g:cLjQC+bs0YOg
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe"C:\Users\Admin\AppData\Local\Temp\55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xiajq.exe"C:\Users\Admin\AppData\Local\Temp\xiajq.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\huobq.exe"C:\Users\Admin\AppData\Local\Temp\huobq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD52b7661c6ec6638c59f7a18509f3936b4
SHA10279a4d9807dbf9100d521ad9b0c8f4cf208b221
SHA2560ab1c3e8ea28e13154fa6cece24d8a3b8d3e2643f249be2738edb004da0b810f
SHA512e646a5869cbfc5b1abd4156b2458556f54f51bdfc42567783b264b52da750787b0dab6d72a141a89511019949581d118d75a9da70baf3045b94527e05f5de963
-
Filesize
512B
MD575c36b40019280dbb766cd289cabfe21
SHA19cb5b15eba83563ea923db08118a615b78308ed9
SHA2562430abfd003da5f84c0ce90d10c37f5e9f467d713bcc2f5ab481e2d17cd252f0
SHA5122e237376989b9aa893d15d493965931647b2e53c82525ece8ebf2f2b84a97ad989981bfeb5dd4192cbc1a0b62c5b03a080a609d013f7e561c02ce88d83855801
-
Filesize
241KB
MD5164fc4ccc35ff34aada5229381359637
SHA112ea0ec31cb5078805811dd12eaa8acc5a00f4be
SHA256e74cd32917e8ea6b6b8f42f353646bb978d856f8db747decfdadf2e17e547046
SHA51291332aa387e276e41d7329f22df6d6494b152a3a39208a8ad205f097aa748dc649680fefebe7062d39edc912e48565a7ddfebd173148504d44c71951455baa2b
-
Filesize
536KB
MD5ffd147cdc20a47327c19086b2ec85f3d
SHA14f5099cce3d63d1dc0fdbe462c43ac144643f043
SHA256e7f2b9f042df6883c48b843a75481b2024170fefe19e37466542b19776a7d22e
SHA51203785357cc0a7b7798116646bf376b97c4c6f39a7bdd116c565bbad8470194931bd992f069dd148dad29f98447072bb735cc8003d97ea13db99686b4415c512f
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
556KB
-
Filesize
556KB
-
Filesize
556KB
-
Filesize
556KB