Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 01:09
General
-
Target
a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
-
Size
442KB
-
MD5
0e97fb91d36776868935265a493c0020
-
SHA1
f30211f2bcf09fc58dd129f454b38c2fc54e7618
-
SHA256
a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528
-
SHA512
16f21fabc16f2026793163b07232280f47d620661cbe50661568eff65aa54131b172645e7bcfb4cb0bf731b24a831c74f1b34c9f2dacf7e57773c6565f2ac275
-
SSDEEP
6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGM5:rKf1PyKa2H3hOHOHz9JQ6zBA
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe"C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ficup.exe"C:\Users\Admin\AppData\Local\Temp\ficup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\byfue.exe"C:\Users\Admin\AppData\Local\Temp\byfue.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD53a634cc49790e2bc9da2bb9f70159dc2
SHA1251cd153f8976c0b814612a394a0c5a10d1dff3c
SHA25652146206755f0b2026399fd33daa8bbb9a41a6d33aa254383c45768dccad637a
SHA51204d1e50cbf6391023bde91645d657a564e531c8db14051189019874da56fbb647704b95265ee57984800a4099727625549e26b406735b875153232439a2b6392
-
Filesize
512B
MD5b8d01b3c938af30e62ab771bca8ed349
SHA14707f2289d122703bb90bf78b69c644a4c42c073
SHA2561c445bbdcbdb396c834ea778fd33310ca61af8fb26026721d208d1847e07fe8c
SHA51221e9b30a7673e6aa700840e2c8dcc40ab5c97f276ece9c0bf8c640b1c8e2749315f172bb11821a6f76684900406c983f5006235090ce2587468cf66b2cc9e02b
-
Filesize
230KB
MD55bd20465e9b2d64ae41f4b555affb06b
SHA1a94e06fc2dede2edd4050de6fce2a54d29661c03
SHA256feb7ca818948ac19f09e610bc2ec035664f97b9fe0d2bfe284fe7aa178be3237
SHA5127cc22565973a5170b34f37994abd51f943c920dea815191a1233a551cb9aa5d19d86616f3cc2972a0b5756647a7734c5451d8ba95779238760da0495900f67e3
-
Filesize
442KB
MD54acd0dcf92262334466bb8817d02c540
SHA1746fe1161fe8478d16003ce368c385a88fb3b064
SHA256d4579b194f427aaadd5e3f497531828ab99ad814831be32996097dea22855506
SHA5126223918237eee9e0e25b7d71c98057f41bfb394b47eff630db824ff27835583257ae54c95bd36d2f0a90abae943e0e07f977cc401e0a09f9d19948608942de26
-
Filesize
4KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
632KB
-
Filesize
440KB
-
Filesize
632KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB