Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/11/2024, 04:46
General
-
Target
97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe
-
Size
462KB
-
MD5
4f4f2f0d0ede717fa4c814da6aafc544
-
SHA1
54d6704a8a3d19d58e7a8353b0ece3111f5642f1
-
SHA256
97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a
-
SHA512
9de1197056ad0a78e8441c2d091f14230597b8858f3e95c4a73c80538b891f504fb8b1831e3ad614011ca1d60f81a8498381378f9d57348f887230d8c8225d27
-
SSDEEP
6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpmU:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsuf
Malware Config
Extracted
urelas
121.88.5.183
218.54.30.235
121.88.5.181
112.223.217.101
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe"C:\Users\Admin\AppData\Local\Temp\97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sander.exe"C:\Users\Admin\AppData\Local\Temp\sander.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5747b8f8d2d89120747194f63c2aa0c5e
SHA1c717c574d690af3d6128ed934a64858d8f9d46b2
SHA25658ee3b3e3838eaba787fda410f9e6161f2e77490358cfaa82f72a79cf4b95ba5
SHA5125363e2c9f8e8f5aa5c7f8156c872a40780c0f34f5d070ef78d17d2266e96e18b5ad69b49552d18cea8106a8881801be4724771f178c2cd61566eefc91cc23a7f
-
Filesize
221KB
MD5b3cd92aa4a1fbddb0f706b99b3aae5ad
SHA12d21e1d8c79ec5e0c0aa1760465d3ffcd1a0d49d
SHA256a929b6a97f8eae1dde56346c668d23c89ba5a984c68fb49c360f542b915776b1
SHA5126ce040b8f17e6643905842f29fa4bf5efc888af7fd4059751f7cc9c27ed03ab1bba051da2b4fc127d7f1d5a3f534a9427ce261140cf36e9d7952d99c582e73e5
-
Filesize
512B
MD504113afab96ff36e7da4cabf336079cf
SHA12ab6a01f123c1ef4227cb134612749b67a237bf6
SHA2568b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16
SHA51268358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9
-
Filesize
462KB
MD5c43ff07b1b65dcb0d0c8cd76f3d1e904
SHA11c0b8fb836183271f18dc0080e3bf1f75d3579fc
SHA256c2ac43aa7c561b054b0a2616e07c036e60ed9fa6f86a9bffd4cee81e10158fb9
SHA5122b11648f3891344dda9f006ff433831a8eede4c0842f5a649a9d25ec0de84e76ab83b76a773c99c0cde583c2c9fd038ced56d3810e5959ccaa84c408319b848b
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
644KB
-
Filesize
8KB
-
Filesize
644KB
-
Filesize
8KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
520KB
-
Filesize
520KB