Overview

overview

10

Static

static

3

9b78d19afe...42.exe

windows7-x64

10

9b78d19afe...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b78d19afe8ef274b9debee712a7fbf1f8ca2d0a4f9c1d2005f0542d792fb942.exe

  • Size

    330KB

  • MD5

    4b9902bf074634779cdbe5af3775a6c6

  • SHA1

    d52eb67aa4a794b1db570a367cf0992a8e8e1d76

  • SHA256

    9b78d19afe8ef274b9debee712a7fbf1f8ca2d0a4f9c1d2005f0542d792fb942

  • SHA512

    f6777d9b59c5194a91de39ab382718b70f0399bc0bbf0d708629986e0e2710d667073ac6619c67f6afdd7f9daa0ecf5f998634a26e3c8124aec653d8f8aee221

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOF+:vHW138/iXWlK885rKlGSekcj66ciq+

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b78d19afe8ef274b9debee712a7fbf1f8ca2d0a4f9c1d2005f0542d792fb942.exe
    "C:\Users\Admin\AppData\Local\Temp\9b78d19afe8ef274b9debee712a7fbf1f8ca2d0a4f9c1d2005f0542d792fb942.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Local\Temp\puewc.exe
      "C:\Users\Admin\AppData\Local\Temp\puewc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Users\Admin\AppData\Local\Temp\tizic.exe
        "C:\Users\Admin\AppData\Local\Temp\tizic.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3648
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    8b64ad45b5e7598b2e4092a12902d5ef

    SHA1

    d16afd55a7e635525beeed1b5592d41ba773c39a

    SHA256

    c309c48c998642b0f0faa3efc8878dbbbe769ee779ddfcf9cce6f0251d03e3c2

    SHA512

    c7b1ee3b5238fc1ba90c65c67765ac80109c6edc78d032933b587c855854c6332b4f83ee7cc5c911a4ccf7bdb13e6efc712304fd4eee05004328148f91a9d4bc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    4ab7fb3679b9cc21eb5e30649368bee0

    SHA1

    f4ae693f05ea37618727adcdb63acc5b8c9298b3

    SHA256

    fca0aa0a55ff3ddf3f427a2e6a3f3f2fd964238009bc4b23ca49ad212760b950

    SHA512

    43495ef58a936af058c1ebf6353a8832be8a8b1c58334692bb941e053a8b236d532a6a84905facada0ac793463f398f9b0687539054be04169eefe744e456ae1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\puewc.exe
    Filesize

    330KB

    MD5

    734d21f26e6726dcfaac9c020bd86a84

    SHA1

    b14111cb8d939e210770a98081b589e4100bd590

    SHA256

    4525d9101c0d75bec5e37c68921b66cf72625649dadcb0944c84e0a4b622b1ee

    SHA512

    7960ab445e1e78d42cc0a674ed5773855e3473a03276245239847edf1e56a4d2dab1462206df162cea2474040b97c762cd3a1d0d74f9da10e2121e094d887487

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tizic.exe
    Filesize

    172KB

    MD5

    7dd75e89f108b8fe838e57e5dd5f1735

    SHA1

    ec07ff3e2d80fffb6bedfd2743c5523052a9eada

    SHA256

    45ac4ba18b7227a5751d1f8aafe85eea46827074e3fa2ebb52a2ff09a630019d

    SHA512

    d0c5668e3c282dbdeb497cdc7c3c811ab59a71ae995d44aa5cad2f3fd9b5933d0ac7f30b4252dc06ffffba4bc180605bb6f322f9c5eebbb373e9fb22bccb5963

    Download Submit

  • memory/456-1-0x00000000007F0000-0x00000000007F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/456-0-0x0000000000A00000-0x0000000000A81000-memory.dmp

    Filesize

    516KB

    Download

  • memory/456-17-0x0000000000A00000-0x0000000000A81000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3596-20-0x0000000000130000-0x00000000001B1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3596-13-0x0000000000130000-0x00000000001B1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3596-14-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3596-43-0x0000000000130000-0x00000000001B1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3648-41-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3648-40-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3648-37-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3648-45-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3648-46-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3648-47-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download