Overview

overview

10

Static

static

10

4187dfa780...eb.exe

windows7-x64

10

4187dfa780...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 06:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe

  • Size

    542KB

  • MD5

    7cb2da7a368758901ae50496e1ab8409

  • SHA1

    67462ee2244a439670ddc83b9476d04b1d291eed

  • SHA256

    4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb

  • SHA512

    f91c7691a5e5d93e98cf00a2b6911cc0a549462eb3e38e107697b154a2b830ce0659ac6cc02e151258c913f1fd3d3e74faee68b1082e310d38444713e4bb0484

  • SSDEEP

    12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuK:92SLi70T7MifjR

Score
10/10
urelasdiscoverytrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
    "C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Users\Admin\AppData\Local\Temp\laxui.exe
      "C:\Users\Admin\AppData\Local\Temp\laxui.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Admin\AppData\Local\Temp\ceidj.exe
        "C:\Users\Admin\AppData\Local\Temp\ceidj.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    b8b3786bea09df4dacdda40fa528792b

    SHA1

    8ed746037a2ffe98e00f5ae2f82b814883a994de

    SHA256

    5a89a5a62b7449a512e0c173968af37c730d348158bc1f5c914b372d0838bda8

    SHA512

    979f9494f9270cf190ba63b163ecff1ffb4fff1ed234294e76b52547124595d62ca61b1d8cee376f6d8281f3f52191fee27a7494527512b1255b4ce60c976ded

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ceidj.exe
    Filesize

    230KB

    MD5

    9578c47d348ba8aa5c55fff2f70faa87

    SHA1

    aa5330e927f55bf25a9865c85f6f36136c20848b

    SHA256

    2672d1b44a4ba5533d268971fd026571afdc301c69426531c0b446b01f30aabc

    SHA512

    11c3e9664a3422cc4b5e1673b06015397ee07a28ea9833495174edf607bf0534e08693f594939d914e90088b1acce493b721e27b59ee8668186e4e09c816e03b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    9dc149bc4df31bc2e986433d7dc3c3b3

    SHA1

    bffc378c0a93b3c6c8ea5fdb066e896551c999a1

    SHA256

    1c0535f1ea312fb10d8e127c0bebf0cd64b8724a817d075a5d49e14ed5660af8

    SHA512

    323b6ff2c8f52ca83a16052c4996a8af46511f02c80ace22a0eb5eed2f0d0b9ddb02090cd71accfba50604a80caffab8349decc4e9bd10bb49c760ffeb7dd24a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\laxui.exe
    Filesize

    542KB

    MD5

    4c712f5ba47b5e8e72a83aebc56262eb

    SHA1

    05c95077acb97adfb226c2e5d9648ff92b454497

    SHA256

    f6832e2203bf06c9eaa4dc912421f7841621d2a1fb7532bec5faf72a8e237b5d

    SHA512

    a671620123eef175c43a768095be53e5ba57380459330e0317186c9002a7db54fbdf871d6169fce45ac0191eacefdb8859af9ca527bae9af207313b717bba1b6

    Download Submit

  • memory/1396-0-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/1396-14-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/1632-27-0x0000000000B10000-0x0000000000BC3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/1632-28-0x0000000000C90000-0x0000000000C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1632-30-0x0000000000B10000-0x0000000000BC3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/1632-31-0x0000000000B10000-0x0000000000BC3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/1780-17-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/1780-12-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/1780-26-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download