Overview

overview

10

Static

static

10

ca7a57d85a...d7.exe

windows7-x64

10

ca7a57d85a...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe

  • Size

    535KB

  • MD5

    463b6d7b034ea2b275a7c6bd06b849f2

  • SHA1

    20a60c50e679915ef1415065fa170885ad280ffc

  • SHA256

    ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7

  • SHA512

    a66cc0480363a37815e031a8d7e8e14950a4af6404d3188497e65bfa5d0bf23b5224959ecf1f2b60f8937029bc6778a3e148b7beceddc53e6878cb99859b09b9

  • SSDEEP

    12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2j:cLjQC+bs0YOj

Score
10/10
urelasdiscoverytrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe
    "C:\Users\Admin\AppData\Local\Temp\ca7a57d85a12aea9999d0855b39df01b46061959fde3e4d4d017176cf3247dd7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Users\Admin\AppData\Local\Temp\beqif.exe
      "C:\Users\Admin\AppData\Local\Temp\beqif.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Users\Admin\AppData\Local\Temp\rudec.exe
        "C:\Users\Admin\AppData\Local\Temp\rudec.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    5d1d611f2e99516b48120f013968bd21

    SHA1

    e7c30d8e16a74713de048450c7d39426d18f1719

    SHA256

    1b5e039ab657edfa192f288184c24ce70db146845eba235f4c3f5a23aff826f1

    SHA512

    d52dc9ff76cfce51aef41cceaa6c6e3f687544d215b8e6e51ac88de0946b42225ba74b74984e3463efd8bd8d174abec550815cec45b6407e01592c1a8d41c479

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\beqif.exe
    Filesize

    535KB

    MD5

    e8ecfe29ca1d97998cc1458079598c10

    SHA1

    9d23c49043cf34a22050825dfd9433098a0ac7ac

    SHA256

    f6d3a23a99123ff0df1e80d53044dd43a9a1e78fb557457a8c723e8af89c1f89

    SHA512

    c49d9b70d76cf199ab5e12edef160271d0eb192c8f2bf5d41dc83ed6d44979bd75adb581aaedbc9e423b0272eb9dc90c71b40fed576344eb9fc14eefa34debf6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    c4986b13dbf2468e138dde1d9c81ea3f

    SHA1

    5b90b4d24786f7c466f8cd07427a32fde8bb85a3

    SHA256

    e3b7c28cfefdbed8e1aabb4a20613e048ac35bf0b4ab94f35540d054d3bdee2f

    SHA512

    d814d65c5ac35bb5365e20497623f70bd6077d42e61de90de8affdcbc6fb174c7961a75ac5f011853688b7eb486576f5d1fffaa2bc656cbaeea01945f172b09f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rudec.exe
    Filesize

    241KB

    MD5

    84771f1b136ba94d6dad63855c4e15b1

    SHA1

    baba19b98c3fde53eab3bcaccb406f29b53c7399

    SHA256

    def8a1877f10042b0dd3caed00a1e80a9c7c3da7247899e07605e3ea06683e4a

    SHA512

    9e480d952ce910dffa96cf9a9a8be0e6baaa06af5e27d6bf06ac44b0a6d0452facd9c6fc49bf877359c94aafb02c209bba84de3c6ae41f4308e26a8926301c7c

    Download Submit

  • memory/1984-27-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1984-17-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1984-10-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/3508-14-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/3508-0-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/4916-26-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4916-28-0x0000000000C40000-0x0000000000C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4916-31-0x0000000000C40000-0x0000000000C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4916-30-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4916-32-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

    Download