Overview

overview

10

Static

static

10

b585a1e9b9...47.exe

windows7-x64

10

b585a1e9b9...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe

  • Size

    546KB

  • MD5

    b3b4c5ef066d864835569193e4962ae0

  • SHA1

    195006e7f4633c904ae7a39b4ac04416ff20ea34

  • SHA256

    b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947

  • SHA512

    7ebd44fd19ba04d7ff935e2e5a37800cdc3126d87d0e32240ed9e04220ec87f00b7cbb6bfe590d4475f3c5d8b17f9475955362b2aba82b0fcefc529860da6f69

  • SSDEEP

    6144:u2Kw7lwFXUEeJi2xVCVxfwY+0QSyvmZ3INALzT1uj65CT1i6iSyYQM0JiS83G48q:u+GtVfjTQSaoINAHT1VQ1i3SyQEW85gT

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe
    "C:\Users\Admin\AppData\Local\Temp\b585a1e9b91e9a98e5f8a65a4b9ec8990a132db39d062c32bbee7d4ba619c947.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Users\Admin\AppData\Local\Temp\ejxuu.exe
      "C:\Users\Admin\AppData\Local\Temp\ejxuu.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Users\Admin\AppData\Local\Temp\gizuh.exe
        "C:\Users\Admin\AppData\Local\Temp\gizuh.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3452
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 216
          4⤵
          • Program crash
          PID:1532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 224
          4⤵
          • Program crash
          PID:2708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2936
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452
    1⤵
      PID:5016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3452 -ip 3452
      1⤵
        PID:4728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
        Filesize

        340B

        MD5

        dd7c8785f51046f83436243e0a873117

        SHA1

        c3e08b6fccf9cfec64a010daeb9e96c814dd01e2

        SHA256

        d9c0d798502cc36ff171743b250f65082e9e23e939b48006c5478e3ff362a5c8

        SHA512

        f8a80c63ad526eae7f0424db2439a88901f2aa8bfbcdf4a06bff4ff56c6dafcdaaf12a1524dee5d2885fd6b39f0ea2096789c4455cefc9e212e6833eb112dfa1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ejxuu.exe
        Filesize

        546KB

        MD5

        4cb2773fc3505f63b6652f15e17db99b

        SHA1

        7b89ebc7c123cbdbd90595736b5dd4f7c6a23f48

        SHA256

        c2c75b102fa32c3d49d6145fa770a08c5523efa17c88259e64aa73b91842e74b

        SHA512

        de24a5c6ca23723fab5a4f60585fcf48d6faf4be41c8890aace732a30d8facc457a4c178fc04c982e65895ab1665ee17b5f2f6551a8e8582d9d17a1238a1b065

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gizuh.exe
        Filesize

        231KB

        MD5

        2da205a6f7666d27dbcda0d0d14f1c23

        SHA1

        2ba33bb082e4d6009aea5cd12bfb01448708a9e5

        SHA256

        e1e63fbf61e9b035190f1ba979e7abd8fe41cccc989d9c61174f2fa5be0f1ddd

        SHA512

        d5a7f0cfc8ce8870c6785e97cfa6e279133120b16352a358e9347c41f34c6475350151321cd2bb6a24e032cbfad3b466e282d302dd7e483fc053c3ede77d4626

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
        Filesize

        512B

        MD5

        28cb3f3a2750d34afb1bbaae2aee706a

        SHA1

        9ed1eaa75b11eaf8ac7b67dccbd5a556ac22318c

        SHA256

        bac156487ab90273fdfb13d13ab314a186397004978e43a810aa264758a5d817

        SHA512

        e5defc43265995bb281d30d553d3df8621ac1298d3e1bc45e0e77f268069504384a9785d8c4c90d187b41048d17b50c8fa17ad253c76a79b49610368f1b96bd0

        Download Submit

      • memory/1104-10-0x0000000000C20000-0x0000000000CAF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1104-17-0x0000000000C20000-0x0000000000CAF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1104-27-0x0000000000C20000-0x0000000000CAF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3452-26-0x0000000000260000-0x0000000000313000-memory.dmp

        Filesize

        716KB

        Download

      • memory/3556-0-0x0000000000EA0000-0x0000000000F2F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3556-14-0x0000000000EA0000-0x0000000000F2F000-memory.dmp

        Filesize

        572KB

        Download