Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 12:44
General
-
Target
bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe
-
Size
633KB
-
MD5
2dc85d1e4f325a156676d3bdde485025
-
SHA1
f2097f754cb08feedc7cf72ce6101004b000ee8f
-
SHA256
bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e
-
SHA512
b2bb12a5f2d33584cd7361f53f47b3db8a130540cfa38697f68806add1bba36ceb4f162dfd40700efc31d8628950c95d92ad8ea61df8c2831a59ec06d40313f3
-
SSDEEP
12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsf:RUowYcOW4a2YcOW4Y
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe"C:\Users\Admin\AppData\Local\Temp\bd5bb62464e24dd10460989a6c4c4e7c28094af0e22ca61f7c6ca8f853aecc9e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mijue.exe"C:\Users\Admin\AppData\Local\Temp\mijue.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xuivd.exe"C:\Users\Admin\AppData\Local\Temp\xuivd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5bd8ebfdcb1c1bca57830986e2ffe55e5
SHA1499a9acee565d3c71c58df966d275e8d98ba3cf6
SHA2568548951834db14210dc7e23fa89c207a74429dd8b5cf5bfc3b8d593fb2845c6f
SHA512b0e370ad45acda055505e41602571193b8a47987751232fde804c53b9c3cef9e0de478377f9e42c5a8fe9571fcbd4fe2f0e87c1dbeda9bb44015c5f94374a435
-
Filesize
512B
MD5efb5577ef63bd655aef9fbede5874e89
SHA19b78c7a664819fa8b73bd6b989dc27ef343eb293
SHA25632d5ba5896d8f3b588605c92084e4e3c775a5a51a96b1d6b4aafabf5ee796986
SHA51285b7058202846c748792beed559820b70f58045fb1623035645d499506394cb2f5654a08b4f9caded7173c3544291226628b6dd353f77657f8b48c07d0a1d06b
-
Filesize
633KB
MD52411e7eb84f2c23fdd98c355f94437d9
SHA1e682dca2b002b5067fbbbd72826736407d0026d7
SHA256444b80226b70e5c47c3fa1160f762f89a9bcdf607212f58291cd5c1c02b943d8
SHA512420ba25073a0a5d869263d6c3d7f699942638999161e03d5376016ede40fa414660752f833763e47e0021671fe4253b76077c165e8b98660ce461a8b2b6991c1
-
Filesize
212KB
MD5cbc57f3f8dd629928a9750d6662075a4
SHA1b4f4875e9002ddd49d855ee203c069dd36280b1d
SHA25640acbba216a770348d6fa3df1bf9768d2e1d52785276d67750cb3b9d849a108f
SHA51289964a901fbed36c99e8bcc5f5592ce3ef9e9feb0f05387e22bcae23ad8f4f633528de52e37012d8723cb21e34f25f5f370c4dc6a2e7f4985d2ce16f7506ab1a
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
620KB
-
Filesize
620KB
-
Filesize
620KB
-
Filesize
620KB
-
Filesize
592KB
-
Filesize
620KB
-
Filesize
620KB
-
Filesize
620KB