Overview

overview

10

Static

static

10

0396318088...65.exe

windows7-x64

10

0396318088...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 07:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe

  • Size

    537KB

  • MD5

    cd8f8d72550c4fc793b2da453251ae5a

  • SHA1

    7856e981408deea7ff865db131f03b7417175c38

  • SHA256

    03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865

  • SHA512

    815d0a545504969a977aea9c6c976532275344a5f556cabe57f4a5f683fd02054f54fe01cd1d77412f25edd254363fdb3f24d47282529a1d80cf7de438e4e8fb

  • SSDEEP

    12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP3:q0P/k4lb2wKat3

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe
    "C:\Users\Admin\AppData\Local\Temp\03963180889c76134a4eaa597f97dc888d24bb77edf90f23f6d27eee58946865.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\xukuf.exe
      "C:\Users\Admin\AppData\Local\Temp\xukuf.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Users\Admin\AppData\Local\Temp\eqgur.exe
        "C:\Users\Admin\AppData\Local\Temp\eqgur.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    37dac236676a663a57ed8089ca8225f7

    SHA1

    0a5b5119067a9dcb2a19f3b0a1732527c857e664

    SHA256

    b9130b9721de831ae89992a64bef70d6d7561403b4f45903c8f534da6cebf059

    SHA512

    bfbb2da2f9d9929105308462d60c1ba9e3fe1819d89e8f216744a68baf9fcee225eb9bf1efcaad6d46a6dc2bd7ab55649756d48705105efac2fad4942746ec5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\eqgur.exe
    Filesize

    236KB

    MD5

    f1d498846661754146256f3b5c2cb878

    SHA1

    0fb25920aee82ae1d4ed1fb5166abfb59d55379d

    SHA256

    fa4844b06d914f4f9f6c17c7d9a92919c1ce2db0755b73d0d3cf9de1a6f95b80

    SHA512

    5e93fe500587acae9a16ae8487c7d1c4ae31f12a10448874c8ff689fc55f3298b8d07cbcc1a743f7f267e20f937b15c0aa411604f318a7152478ea746f5ba64b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    7b627470864822bcdc5279e9ead76034

    SHA1

    35ae871cff2842ec737eeaf7ced170fcf7b381c5

    SHA256

    6f7ddf9f9662ccbbd741a1d4b4301af69ff180f7627973ab0ca1b604a17a3927

    SHA512

    4b6b75bbf3d2b991687f71f569e06a3d1c50c94deed6a9d7976ca869bb7ab8faf79c313d41597ea29f6b3e1b0e033c2974f2829d7bcb3795f9a827ea2863ba45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xukuf.exe
    Filesize

    537KB

    MD5

    dcb1aaba9fb422ccbc86602105b8e611

    SHA1

    83761bf78339194e7c870f9984f372737b011058

    SHA256

    97defa73b7cd45bd4e786894a87f7318cd32963640253ebb40c182ea7c8525bd

    SHA512

    c1b7156402d68020bbab540ea8e61896f841968aa412fcb9c2018258050abb5b182d42df8b3cb0396020e5b591cb52363a36af2bb6f8b7bf66fd6825fa221b39

    Download Submit

  • memory/1964-27-0x00000000010F0000-0x00000000010F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1964-25-0x00000000004F0000-0x0000000000593000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1964-30-0x00000000010F0000-0x00000000010F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1964-29-0x00000000004F0000-0x0000000000593000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1964-31-0x00000000004F0000-0x0000000000593000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1964-32-0x00000000004F0000-0x0000000000593000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1964-33-0x00000000004F0000-0x0000000000593000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1964-34-0x00000000004F0000-0x0000000000593000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2880-13-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2880-0-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4120-16-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4120-26-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download