Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 08:32
General
-
Target
ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe
-
Size
543KB
-
MD5
cdf2e902b453c3dccc1658655f7caad3
-
SHA1
441bb83238e980f4d3f41f7c69d61de319be3923
-
SHA256
ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd
-
SHA512
60af098d0bb5f263889b99bbf2a1efedaec793c63a8a5794f2df96a36dcee8e337b556e63c13c24076e6f086aa3129e2bfc8cd37e4d8d890119cce7180764638
-
SSDEEP
12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuX:92SLi70T7Mifjg
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe"C:\Users\Admin\AppData\Local\Temp\ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ewsya.exe"C:\Users\Admin\AppData\Local\Temp\ewsya.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\foloz.exe"C:\Users\Admin\AppData\Local\Temp\foloz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5f31aece61160d8cabfae378b8c7c2d11
SHA16daa126c4fa424c275543531892d53aeee999d7c
SHA256e1043843a439432f794ed187edd8889ff876e752969719dfaa7f98c1a83524df
SHA512082ade7faddca5fda620bcf92c10ad514f9aec865fd8df329dc98326fc2cdad1522d93c646ca65a58bb3b385fca4613cf1eeea11d672f811e77935d1133bf664
-
Filesize
543KB
MD51e861403adb1ac24e156e9f8dfc9122a
SHA1525e30c28a7427aba1bcca32e487aee50b6cf693
SHA256f94697f84a234ab47719bdc751ef780e73a0c23f7f188fa6556e38216642adf7
SHA512949353f877e2cc6d7106d25cad393adf79f5cdc79d097758a54c2b7e385e2156ebf7c091f0134a67f90e3f64a519aa341e4d08318c416b08f92e0c45ec8b8704
-
Filesize
230KB
MD5bdcbaa9c0d4c1e352942007bf85d582b
SHA1365eb28f67d0c25f2fc604e30e52d5b21f7769aa
SHA25628bc35ff395a3de9ee6232c04b383288956d5df9187f88922e08c1261ccfae5b
SHA512154725144147c9f36e44a71ab3318ecdd528a446b28400e518a9498254affe34498b06b429580b7444ef511e2481077c856af5f5a50b64ec1d459fa1625ce051
-
Filesize
512B
MD51b8a5296b5b0d684a29d62a9684492f2
SHA12bb007faaf939661094c39e8f71fbf57fefaf09c
SHA2563036cc99ef0cd8aaf4706af321b8036bac24f248b64d807652cc0aa78685cb96
SHA51204b89bc5d3de58382df91d8b1adc52a3655f48faf75ab26524cb8d0f36d10cd34e91a60bc2f37deaf7fa1476978decffcb123573da9ab8c5d60685156488b718
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
540KB
-
Filesize
540KB