Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06/12/2024, 22:13
General
-
Target
4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe
-
Size
335KB
-
MD5
656c52672acd38b367c7e81c9523160e
-
SHA1
aeec37f8fb38a07b7e9cb06fd99d7b0f0ca40863
-
SHA256
4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1
-
SHA512
bd07a8019ef70e6a8e05f495abb04341cf5f887e7148d1e8ad0128671684e157f0850e0edcde1ef24a98234c2d19f884a1aefa2bfa73010c528a5d11ef2d7d2f
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYy:vHW138/iXWlK885rKlGSekcj66ciD
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe"C:\Users\Admin\AppData\Local\Temp\4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qynuc.exe"C:\Users\Admin\AppData\Local\Temp\qynuc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gebiv.exe"C:\Users\Admin\AppData\Local\Temp\gebiv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5e3aef9da755fc2c331152df0a7f489da
SHA198b36755e9ef9e55ab9fa332777aaa4de09b487f
SHA256ed4248cfb3200367bb9da58dda79fe97861dae2a6548acf1b5a921719c9fc005
SHA512f228d6eb815b07c67452d7575118e1b2f105dc74fd4ec3523fd1be5660c2356d36abc5002612fa671901156d39c832d3c0f5b109c8f6636e8d6ad59113d06ffe
-
Filesize
172KB
MD5b9d9fab9a0bbb811e26a2d387bc2aae9
SHA19d3de320d7e4f4a43a4a35d9efe73a1ef53b715b
SHA256a8d9e9c5ce3e79e6fdae3ce4b488c3aec70a2eb6c688270d04adcb99eb198f24
SHA512f9c0170bd95873f7acf79d529f4d7746e9d89e6e6c30493ae1aa2008e9edbaf6a3c6cb111ee1313c7e84c2b3be0c0b59dfe4a93cac2fec87f4a90e2b54ca474f
-
Filesize
512B
MD50d5973a432da91022ab30994f78b0b23
SHA10b3443ddea01a53bf80c3c009cc816de7ae414c7
SHA2564cba05143e03765afcf10825853591f518a991685c2877358b55c3027a299a0a
SHA512f3ffd136c46db13fd11d3162d6dc86f4d61d38bc84b978f78091bd9c25cbcd23e49a56fb9ef89bad6010cb6ce4d6635304c9bd4995436f175da0490b48ae023d
-
Filesize
335KB
MD5c70317d6a8dcbedf7ce5070e51f67f45
SHA1440c93c041a1c77b62d32f23854a6405886e0f92
SHA25684c65e2a656a893ffc3494f089fd25a60edf8602f636d27e59c4f3fa6c8c4619
SHA512c450fb7f24eced65508bca6f61024381735c50c437675a5f03fb96e51784153b899bf36fecfeb7bfbc0284af72128b38cc653b7462eb105bf826d6b711ef2792
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB