Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-12-2024 02:37
General
-
Target
40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe
-
Size
337KB
-
MD5
53ac000b628536d3b532efbd2d8846b4
-
SHA1
091906986ad4bad87d885985e9b94b8df39dbf1e
-
SHA256
40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c
-
SHA512
56f18871a2d08423b1ab48f062327633c04a0bb20489adc38efda0cfe2d10d551b5fb127968534eb17d3e02c51b155afa7a77108832b3a54ad2da3b6b56cd281
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYl:vHW138/iXWlK885rKlGSekcj66ciU
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe"C:\Users\Admin\AppData\Local\Temp\40044b6a74c6878ea917eb7fb60f90a6c0d712e89a44b5597070b428e2c1620c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vaorh.exe"C:\Users\Admin\AppData\Local\Temp\vaorh.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\riery.exe"C:\Users\Admin\AppData\Local\Temp\riery.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56159adc1cb3082c6fba29dfa4259cbff
SHA15433d9d06057c56c48705e845b2752d83e010512
SHA2565797579a6cf20ab1438fa6b8b6c63962815956eb46f0187a63e53254a9d92649
SHA5128784d5bca01318502b0044e38acb2b6352055b620f407127e7d27c897d11513fc74bf6a423b1d4c86fdbae7dd905ba0d7821c7660df1f7de21c9b87f14c2705e
-
Filesize
512B
MD587760657de8502a33c7c542e8e4150f3
SHA1b9ec177e94a3f11125feed1d692c4a8b0e00230c
SHA2564fbfe7c52376dbe69670766629fdab66230b1f5fec1a7ec3bfbd84afec4ae0e9
SHA512fc1d15be171a3acd5e630ea38510390751eff11db22f498d3ebbebbdf890ba8fd6b1ad771a064cbfa143089641d3357077b4ca74c3fd7237dfcec7922694386d
-
Filesize
172KB
MD503d93addc44b367d1219a5b767dd5a34
SHA15c9479180e9195d66106fff48b0c63626c0e9f81
SHA2560d45a11aca5a4a42567874fe6ea1096d3aba0d9e5776e2ea15fe0ea20f37e471
SHA512f8fb8f30b240095f1952a461d49abdfeba0d81c4a00d5cf3afc9c840b2ca412e6b42c931c852d4272f6eeff6a994dcd6a108b742d72ddc050012f63e6166a56a
-
Filesize
337KB
MD5479d1b1502b8402a99503a7b87302508
SHA1e855db8dada35033d316b2e90f5943e04ff5e128
SHA256936b31f26324a4b4395e559f431e233e54b3406ac95071da56ce0f2d7e95ae72
SHA5123f697d8cf334132449d879498f0accbf99b78b146d219a5995379cf00ed152290c235cbe90f9b1ba89b18589978f7d7c2379afc7d86b6b1a148e509d90cc0bb5
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB