Overview

overview

10

Static

static

10

54b7d5752f...1d.exe

windows7-x64

10

54b7d5752f...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    89s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54b7d5752fe4745aa4853a78ca45cc8d67822a83084970d3208a71416847f11d.exe

  • Size

    466KB

  • MD5

    2f4397a18a4deed68940ab94a69402c5

  • SHA1

    d58a7d3a479d88bed63a43bfd3fc0c4d1ce66797

  • SHA256

    54b7d5752fe4745aa4853a78ca45cc8d67822a83084970d3208a71416847f11d

  • SHA512

    df9570e7dcb5e9c8c4ddb120476314d1915f118a131c8279580398d2294cf33088c511988af4202c23d241c9a1d95769f4be3b9ddf56d7c3bb4fe4d36276d40e

  • SSDEEP

    12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Uw:Y6tQCG0UUPzEkTn4AC1+P

Score
10/10
urelasdiscoverytrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54b7d5752fe4745aa4853a78ca45cc8d67822a83084970d3208a71416847f11d.exe
    "C:\Users\Admin\AppData\Local\Temp\54b7d5752fe4745aa4853a78ca45cc8d67822a83084970d3208a71416847f11d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\raxum.exe
      "C:\Users\Admin\AppData\Local\Temp\raxum.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Users\Admin\AppData\Local\Temp\edloa.exe
        "C:\Users\Admin\AppData\Local\Temp\edloa.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2432
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
    Filesize

    340B

    MD5

    d9d1c0129faacec07ba85d406adb4457

    SHA1

    36202ad4e4d1e739939e74686cbed0ab2c7f8b7e

    SHA256

    96fb8aa07f15cf2bf2f86a785c217b87c0db36766fe1f587b889f55aeee4830a

    SHA512

    e65ea5329001a51197ad5311a0e3d30f8d07e9c2ed4d89101852cfe5bc2921b1a0f517fe51d07f7ac7cc577674cd4e2ed19dca3c444505738649f11c9afffb90

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    6be65604ab7b185327ad8d2b754ba3df

    SHA1

    1190da543731c034317adeebdc8ecb9233235896

    SHA256

    612c306ddb853f2083fa169db9a79d54ff83472d04f98956cd76fe00f5fd7665

    SHA512

    ff8c446cdd121bb63e46fb5ab365b0d71abb937ab70450a6523d942eec66040328dd92f9b658de37bae5f67e863bb45abf95cdc5013ea2df815ffd0158b9173a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\edloa.exe
    Filesize

    198KB

    MD5

    84cd8ec238bd8cea529e60d191ac34b0

    SHA1

    f7b331b0f9116b4861aa3be783201356ccf610a9

    SHA256

    32e3b460af1b7616499ea049564f752288fee929516719c4d7be840a45ae3c23

    SHA512

    b186d2b3d26321cf8bad6ea048239b2a0c31b700e371c0aa84f5487caddd50f82c7052280be81b7bbe184937feaa68438bdae6eeb1ea21efbfa0457c86ac38dd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\raxum.exe
    Filesize

    466KB

    MD5

    df6e88ff3f9dadd5905bfb4399a30419

    SHA1

    0da49e8c6fac08d492bcdf7ddeb9eaa166415b66

    SHA256

    ad98d8972880181038dd4bdea9e1da97e17e1905f7c7ee29846683fab01d0978

    SHA512

    e117df2b2f06f5b511352edfcb48dba6de0bbd99b8e152afe95677e48ff9f94630c169a64bf9925fbe3cdca521710b2318ef58a7d93647b429349bfd13a5cebc

    Download Submit

  • memory/1648-18-0x0000000000B70000-0x0000000000BEC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1648-0-0x0000000000B70000-0x0000000000BEC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1648-8-0x00000000023C0000-0x000000000243C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1792-16-0x00000000008D0000-0x000000000094C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1792-21-0x00000000008D0000-0x000000000094C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1792-28-0x0000000003650000-0x00000000036EF000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1792-27-0x00000000008D0000-0x000000000094C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2432-30-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2432-32-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2432-33-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2432-34-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download