Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 23:12
General
-
Target
635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
-
Size
331KB
-
MD5
e03c1b27b6239ebea9c12494b4f912cb
-
SHA1
a50459987dfa39124e5580ff86e8f25c71d512b9
-
SHA256
635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11
-
SHA512
cb720e4c0c66faed2098a2464c8518ba21fa874eda9d09bd57c9d4bfbc11382cfa2d001e53b7832b0b2b63c9f88ebcf3bb6d4312767e61f002e6381bddf460ec
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOFr:vHW138/iXWlK885rKlGSekcj66ciqr
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe"C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\koidw.exe"C:\Users\Admin\AppData\Local\Temp\koidw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\biurr.exe"C:\Users\Admin\AppData\Local\Temp\biurr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5d98649b4f98a9524d418f6db6f8a62ee
SHA1a17919e3b7075d8838509d2a734ba07cd25a90b8
SHA256bbb64a9ea757f086fb04bb74b2db5a2258b3059672828ff33fc2db142e5334c2
SHA5128f7559df132bed14b9624c48b5c01c0a0a4194343902f7c472a827f149afacdd9dc2eaf75b25cb9d34a7539672cb28f19c6fec6e2ac748270f5aa8eddc396d08
-
Filesize
172KB
MD559fb23441574dd50fec42c5b6671ced5
SHA1fc7f8e81b161aca6c6832ff401327a46460fd535
SHA256a62182b9b463036a8e1819bad2d96bdc766006f7ae1fdffca5f2c788f73a524b
SHA512d53fdb8073dc172c9533d3a70c94d8dab3c8127bfbc017328b8c87a0d026a3a457d07430b0e6f3a5576fad4dae56ef180418ee10076ec5e4a659849e735491f7
-
Filesize
512B
MD5f07baf4a3752405f8d7ddae62aec0c94
SHA18da4df9831888431cb5bca8d23d033a15d7b914b
SHA2563bdd3f8a100e4d4ca353ca67b2a188246f19f5c381797478c3793acf21e0f5bc
SHA512c81d071dcd71bced8c5580cc5de9e858150878ace2f0ae6987fc883bec7aadc2f2716982bb8ec18d4151cf30d50fdee6f3650427341d7144f7920cc707e08674
-
Filesize
331KB
MD523003c757db168f46bccf128e5b9b716
SHA1482b842488a6f29e6452707b547d184440860cc6
SHA256824504b69662a18f0162ab03b2a302d9362d8ec7b6d833e41cfbe113946f5394
SHA5124d2a1617f246d2630f07d40ab39ac4b77a9cb9c443a0af357b8a59ffe39635444c4f147dcfb2862b55302a7133a0d7590137ce9eb42f06a9295861488722143d
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB