Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-12-2024 06:06
General
-
Target
ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe
-
Size
341KB
-
MD5
09b5ac695ecb26f5923167783af898a9
-
SHA1
f78da648815348fd48e1ff6c1ceedae215517e1e
-
SHA256
ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248
-
SHA512
0d71c6709e2ec28c5f9b04efefb618f63ec551c2693c5f90cee9658495a46471ae83dc0ae7a2dc63ea0ca036d8cd2dc02aa7df9f05d944e0300de9ad592a1f14
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYRcECHUI:vHW138/iXWlK885rKlGSekcj66ciaC0I
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe"C:\Users\Admin\AppData\Local\Temp\ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xaanf.exe"C:\Users\Admin\AppData\Local\Temp\xaanf.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\biuvw.exe"C:\Users\Admin\AppData\Local\Temp\biuvw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b7f738828e7994f6100e64d268f74324
SHA1eb8d5fb479fc449fed54c2a3f3442ca1eb09e30b
SHA256c55069323b429916772859606722ad8928ea6ed8a005a649589bed8f7fffd5bf
SHA5128b1a8e647a6f14ed1cdb403b0eb29659a83fb2928740c373851f37e0fa41fe8ebdf9a313bf98d910fe43f369c806328e88132b9c10cf0199b66e7443d63a0cf3
-
Filesize
172KB
MD5fbbed57c224ffa4a763d931427d9562d
SHA11dc721452bd2093edd8f3f7dc9c7812717181c95
SHA256ba3d8a2988cc1a89183831ee47f59bba0d02e7d51ba2e89785f653bcdda8bf2f
SHA51258bf4ddcfc52a1498c80bf732d3899a0b5b7836a192d1fd588a7e291592a0189ad4391befdd1498f9434eaf7ce7a28244f3a7066336133aeb04a4bc5de6a9a96
-
Filesize
512B
MD5dee062898d34f9eaf24f2be576e0d35f
SHA161e4140f3f3959331c956b9f5056051281327947
SHA256ec493e2ad24ba2191b50e1f4d4c490462e7e8e9c258baf369fc41540d838edf2
SHA512b9201b2ed10d8c7b289c217fc1bd84b9fe569a3286715080403e439aca549dfdcccf58a7fdb131351ed1f749ea00d95f4570599a5e29c84a00739c841e678440
-
Filesize
341KB
MD541c692d74f7eb122f87de9cd4e587a12
SHA13c636ab1cbbe67c9c41e8a8cc5bebf2a34e679e1
SHA256dd29e10394a391a27b4e20597c4c6dd1689bc847f9a21e4119f551b6e1ffd364
SHA5124558fff3dc71c37bcd67dfff52e36a96faa20e2721bbab17a008513f2fdd1807b4e04eedbdbd9b5b4d26bfa95c96e8503a44e769a1fc8d426f13ec9b7901ee88
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB