Overview

overview

10

Static

static

3

a1ebe971e2...56.exe

windows7-x64

10

a1ebe971e2...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe

  • Size

    305KB

  • MD5

    e5e61363612d412f21409f38dc16f265

  • SHA1

    c92a039870d46e84f1c14073d2ed7ea166e057e5

  • SHA256

    a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456

  • SHA512

    6f74987f022bcb22e88dedf58ad84548c02b801f140854d9a4c8b6ac9047519124c0c8bace2580789ef37913bfa9607c240d2e5cbb6a620a1e67ce6238c27d98

  • SSDEEP

    6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw:ytCLD7+51gxeq3gOU9EEQrhw

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe
    "C:\Users\Admin\AppData\Local\Temp\a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Users\Admin\AppData\Local\Temp\kavey.exe
      "C:\Users\Admin\AppData\Local\Temp\kavey.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Users\Admin\AppData\Local\Temp\luhowu.exe
        "C:\Users\Admin\AppData\Local\Temp\luhowu.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3868
        • C:\Users\Admin\AppData\Local\Temp\kagou.exe
          "C:\Users\Admin\AppData\Local\Temp\kagou.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3360
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    bab5589405de7ca0c5b9c4171c1f29ba

    SHA1

    9af93b3744f7f0778e56b910f2db896be660c595

    SHA256

    eba41b2ab0813fd62dd0eb11eedeec782da2d1998e92b0a9d88b178c9211a8ed

    SHA512

    aa1a9daf16675d861b50dbda7e1a340350fe8c07f978eb72da7302598cb64e400cb741ef4b49cb2fae4fa92a1157049876f7446b01ad54d29b420ad6c09fcd20

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    340B

    MD5

    b37f4fc044ae0c7895eef35ca18a209a

    SHA1

    ddff4f89ca3ee9b3d2bfc87b43df12e786e552ff

    SHA256

    e753f9f3cc95fcb7a21700c96092742239b292f3bf4b8834a5cc4b22c8d7e602

    SHA512

    f1449bb47e3f3ce82ca721a1c5d87e34178d535a98398264e48b49056e753944dcfa79c9d976dfcfc310a1bef326a5d841460757704e3ee76b218ada6816f1ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    289524ca3a5477be4d09f046971f20b2

    SHA1

    d13a862fa4b3e924fe065e81b52a56782af84ccf

    SHA256

    7bafb8f41e97655b90cb6a72b9366fe6b70b9d4fbbbb6c6a58f829f9b61cf597

    SHA512

    0b6c31b70aeb59b8f9016f834d81dd9876924fa2f447dd510da51c06ca4ba8396397b3bd705fff5a7c4c2059d1ebb7ef63d220109bfbf86ab78ec5f163d38903

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kagou.exe
    Filesize

    223KB

    MD5

    74d61db1530b2312e4d8cc043f467ae8

    SHA1

    159189e72dce2d3a38196256a60af1483ec935a5

    SHA256

    25c86819c898f4ef4678f287ee3a83f64a85f62b615ed81a2f2b90d16d669793

    SHA512

    10eb64ee36400fef1e30e817076aa2a19812bef35db042db98a0315229ff008d3e4e5fe98d5b08e84693651e2adfd8ff0e16cda969f8c65a5182f906f7c07415

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kavey.exe
    Filesize

    306KB

    MD5

    167274e0535ba32b2543e7b22f6bacba

    SHA1

    c312a2eee50c7cc6ea850a740ee3b1e7d8f5f721

    SHA256

    7b176f39f675ac4e515677120bb65bda9c77e62c6bf974be587edb1a892290af

    SHA512

    1c1cd646b2f36ddd1096acfc6ad93ff003b321ed57b00d7e1163e26c9f3bea84b2a24e62744d053d8e404729cc2236f38bb5b0ba094df67f565a023a684e537f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\luhowu.exe
    Filesize

    306KB

    MD5

    f72135581463d65b9d733a0a14a64ffc

    SHA1

    76cfd0b39d6290235d3902580ff2650447fa4646

    SHA256

    c65eb589e4b06cdd469cdb421fb253e16478dc4dfbee14deff2c7c061f19b8a0

    SHA512

    6cdd6e74f1b629e5ca1fa9d1139678ea1e93cfb0a19a9f890fc2c3400d3806ef3d42ff5e75a6f072f0aaed7f9e53cf282160e0afd1a87bf185b832cc30791af1

    Download Submit

  • memory/1364-14-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1364-0-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/3360-45-0x0000000000060000-0x0000000000100000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3360-51-0x0000000000060000-0x0000000000100000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3360-52-0x0000000000060000-0x0000000000100000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3868-26-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/3868-48-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/4348-25-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download