Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 11:12
General
-
Target
da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe
-
Size
537KB
-
MD5
426c78ee2009d2fbb2d82175efc7ba0d
-
SHA1
efc24b7755e13b36d932134e72b69b90c7e474c9
-
SHA256
da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877
-
SHA512
7cb83253a06f495fb061aa20ad47e126924422548ce221b5b723fea612a9e03a3ed5f0d5ee7abad64decf0c5442b4325275ef092f3f4d70047e0ea39693d3c08
-
SSDEEP
12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP2:q0P/k4lb2wKat2
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe"C:\Users\Admin\AppData\Local\Temp\da633c7a5e98d37619fb6def516e9aebc06a5f5a21021076d3f94fb441615877.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iznul.exe"C:\Users\Admin\AppData\Local\Temp\iznul.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cooxr.exe"C:\Users\Admin\AppData\Local\Temp\cooxr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5c4efe819e2366edec7d643c69ee8a49b
SHA1f244dbef613b9c583e0c6c1819d6dd5aede1d309
SHA256b0283a7d0ebc3a71c143d882e70a5719a2554ed47d5f22d2cefdcbe5bc2d9e89
SHA5122cac26a8d2d97fcc700e2270774d8e9c8e767a49285cc95d6ef29e80aa80026d8fa34e8100adb1fe221fc4ae68c8112c20a1c169eaebcceab559f46228a066f5
-
Filesize
236KB
MD53ef1f92e1e95ae0223127ce97fcf1a60
SHA1c4976d6da51f7d0540627ff72e2e0ecdc3a4091c
SHA25618b2a37439600a433d9968a4f427d344fed52c4165f9547a6891b844b0fb231a
SHA512a1e4f1d35b8f62d5d2eb602573c08e0fee3c4445e8417c617034505cee152f7a6d48de60dea15262152f0969fd106b1b8985da842db35cb20115b7dd502ef568
-
Filesize
512B
MD592b4a0cfb8eaa5621ca6d6d7e2e83843
SHA16030b8c09170171c7bb4c54d2b64da9ac90a1fd8
SHA256d978613698ab47258778b18ed6dafb10ba37efda9ae3230a165cae85388c2f3f
SHA512de104c0f088efafc0f6810d83b9747b17df52ae5a9edf15fea8a0f49b2dba4bb6631818d452d8ad4ede5f64a5c00265440069d457fd5be564b30aeb043e80cae
-
Filesize
537KB
MD56af0addde9ec9c47df8bbff421cc0bea
SHA111531746c1afcd48b7300fef44f58368c9126078
SHA256de6b5fe06a3624e1dc8f4827ca2ed044e32b31fe123a910de9aca8fa9c6f22b0
SHA512f24cff45277a192fd495fbfa10291b9a164586e3da9fd6f27fea2b0760c984dc037e0afcaebc9444c7fb9fa9168576d5cb8ebef37e18950f341df71c1d873922
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
4KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB