Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/11/2024, 02:10
General
-
Target
e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe
-
Size
533KB
-
MD5
d0b820b8854a6713fa4ca98a72441157
-
SHA1
afd9ecb1355f66c507294bc3f7667e61dc902f69
-
SHA256
e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113
-
SHA512
6712db2173af63d253b06af6ab58c193683ed970eb4c4ecb3cad4c9d8d69eb6591bc6c77ed8295957e5a7e15d4fa8f6a5e49c4779eb52b50038142be5e1f2d26
-
SSDEEP
12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP8:q0P/k4lb2wKat8
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe"C:\Users\Admin\AppData\Local\Temp\e1e5ef106a6675f9d5bab4ed3f29e5edd55e65ffc9b2fefd7aa9ea4590c19113.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uzbeo.exe"C:\Users\Admin\AppData\Local\Temp\uzbeo.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rizel.exe"C:\Users\Admin\AppData\Local\Temp\rizel.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD57b52d06d75d584f893caa0360974f8bf
SHA1d5a239225dfd50d20337283adcd31ae8ccf860c8
SHA25643b69aee365c7c59018d2457e278dddaa48cabd8a32bb4f87ef707fa5addc371
SHA512be019af072302252e89f38cc9457e7b36f792297b834d375be0ca595ae3a715fe2fa1f68fe0654c23e1288eb1c483b74defa680ab69c0e360083ae4b54429e50
-
Filesize
512B
MD5d773b19d04066b4884ebcb9a4a665f43
SHA1c5fe6254063be4dc805d6bd0efd495b0cebf00b1
SHA256c7d9ad9be26b96a8ecde9b7d504588b7c30a55570d86eeb364e24c627daac512
SHA512d40083b6b9ccace47d15c98ad451c07c542a7d896bd0e8d0670e9a93a05c30a451d458477de60ff2a0c6504b34a376b3772772a4ff28a05dee6d62831d634918
-
Filesize
236KB
MD54ae08922d96071fd05aee7c16396672f
SHA1e98266e2555c2aef53e7fcda5c5ca368eea2872b
SHA256faf7ca6f9038456d7f0042f31e5685aad13582accbe4f95f7607c605a745e7b5
SHA51206230b2841e8d9b2747bf950be5eeb08dbb718e353ac44afa055c22bb3d1fdeeee8d41bc00128a1e8caf5a3bb629def94002a62a7cb4a3693e3b0244f9206817
-
Filesize
533KB
MD5df8a0c6248c680d4ccb284f144128c03
SHA10d5d70925339cd3f9c571ad85f20dec642a86f02
SHA2566da3580b168995d4ef951242f3eedef8064d85dcdc1fb92af874699d55646025
SHA5126318f81013989c17770773a5675239ba524fb3b914ce9e538949e11844f6a2d8030dd5b220f7ead664104b19f265d5f6fb4842956205849ae237c66dad541dd8
-
Filesize
652KB
-
Filesize
4KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB