Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/11/2024, 23:22
General
-
Target
635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe
-
Size
331KB
-
MD5
e03c1b27b6239ebea9c12494b4f912cb
-
SHA1
a50459987dfa39124e5580ff86e8f25c71d512b9
-
SHA256
635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11
-
SHA512
cb720e4c0c66faed2098a2464c8518ba21fa874eda9d09bd57c9d4bfbc11382cfa2d001e53b7832b0b2b63c9f88ebcf3bb6d4312767e61f002e6381bddf460ec
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOFr:vHW138/iXWlK885rKlGSekcj66ciqr
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe"C:\Users\Admin\AppData\Local\Temp\635c14e9039915b579be9cb60a92844ab22752f9ee4dead4a9cc89cb496c4c11.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\garei.exe"C:\Users\Admin\AppData\Local\Temp\garei.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xucen.exe"C:\Users\Admin\AppData\Local\Temp\xucen.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5d98649b4f98a9524d418f6db6f8a62ee
SHA1a17919e3b7075d8838509d2a734ba07cd25a90b8
SHA256bbb64a9ea757f086fb04bb74b2db5a2258b3059672828ff33fc2db142e5334c2
SHA5128f7559df132bed14b9624c48b5c01c0a0a4194343902f7c472a827f149afacdd9dc2eaf75b25cb9d34a7539672cb28f19c6fec6e2ac748270f5aa8eddc396d08
-
Filesize
331KB
MD50ea18358a2623d687006c651f88cbc42
SHA187be9b279ab8f32549815547d3b578f933242fad
SHA256d5fae645c641fa851c9accc5627646894a17e21638f7e5acf47864369a332ada
SHA51211491b65252db56ca7c506de146ba85b95ff86260ca76788fefc44ad8b12912bfb296d8b46335545c79e743e0a33e3e36569341bc12d9aef74df5a5068dc9a6f
-
Filesize
512B
MD53008106b12d54ee4ba98b25bbaf8e1c0
SHA153ff99bd5e0e2f9acf0223322aeb7b27900d7521
SHA2563890b2ee8730feca7046a7ded21660849abb3c4cda8c654b04c7c8dad9eb63d1
SHA51263e3455308f4b679a10a5b9341ba7c533ecb471d271af993a00859a5c5ea513d26546fa86fc11434202e1fa1e4dda809596ad898b21b5f076310e1cd617992f6
-
Filesize
172KB
MD5dd2d97e974a4263546262125b16adb1b
SHA1290843245d6718bd93eea3fb90aa876144e7c7f8
SHA256010293442c2e9e6bc1b243ce8844094c77791d76809c2ee92664e37bb88e4503
SHA5128081c52071cc288a3e188ad6b871b9b52e882a868fdebc723cf6cf643cb22c051b444758c310a8a7fba90b6a447a47e290aaf4b697078b98397880b210737428
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB