Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-11-2024 07:02
General
-
Target
4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
-
Size
542KB
-
MD5
7cb2da7a368758901ae50496e1ab8409
-
SHA1
67462ee2244a439670ddc83b9476d04b1d291eed
-
SHA256
4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb
-
SHA512
f91c7691a5e5d93e98cf00a2b6911cc0a549462eb3e38e107697b154a2b830ce0659ac6cc02e151258c913f1fd3d3e74faee68b1082e310d38444713e4bb0484
-
SSDEEP
12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuK:92SLi70T7MifjR
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe"C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qoexy.exe"C:\Users\Admin\AppData\Local\Temp\qoexy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cuceu.exe"C:\Users\Admin\AppData\Local\Temp\cuceu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b8b3786bea09df4dacdda40fa528792b
SHA18ed746037a2ffe98e00f5ae2f82b814883a994de
SHA2565a89a5a62b7449a512e0c173968af37c730d348158bc1f5c914b372d0838bda8
SHA512979f9494f9270cf190ba63b163ecff1ffb4fff1ed234294e76b52547124595d62ca61b1d8cee376f6d8281f3f52191fee27a7494527512b1255b4ce60c976ded
-
Filesize
512B
MD544144553d5c6c928688844c9e67f95a3
SHA1294eb2515c76d9bb758c9336eafd51b62e21ccbb
SHA256b8d4836d224fa1bd61097aba767d6b7af892df9c9d9ac1cf2a54b6a6193633c7
SHA51240db158872adc910668d77f67186bb02d47504483d1c1795e7ca0b7d8ccf1139f08cfc2094a62f0a49b5d6cf04334082a6c4aa0749613c51b81076d6f88be309
-
Filesize
542KB
MD5690ce6c60603a0987dda3ad04d41d714
SHA1adf83cc780d5430db9355f8e05c0b221b65ea540
SHA2567aac1f667774ef360aa071d49cb4b6b810852cf4cdda4f3d56a876a035f9abf4
SHA512dfc06a0ab3e9fef6793c3365a6f444c11acd115bb098f51cfdbe53f0559609956c70457224882903623d199f27d65f4f9178863ab3af6ca93eb56677257146cf
-
Filesize
230KB
MD50c19089cf756af33ced39d0efb79ccc1
SHA14aefe883f6fa6bdc18bf8e140b5dd04a4b1ea70f
SHA25647bbb84aac8139366204a5e2de164655288ef2f25c8ee7fa6a2cd7d537e39c93
SHA5123b72f9b995ca198a1c69df9db64183c27ddb2f37844ad1e45029eb2db10240fc0827662e5c8117ffd8c758821fd02f6051019ac84dc9c80ab2bba242b7a99495
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
540KB
-
Filesize
716KB
-
Filesize
540KB
-
Filesize
540KB