Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-12-2024 07:49
General
-
Target
a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
-
Size
335KB
-
MD5
6b666dfa833ec6d0c62fb67a7ae87418
-
SHA1
e77f30d849a146b729de8854af4585a39367d7e7
-
SHA256
a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23
-
SHA512
c24e16a81378194d8c2369019b40d2da28ed72bb58e4cd39e990f4fbc22ab8bb87d3e4372567874d815490043c594c956e3cc2921d987d567bf1b6836ebd844f
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66cip
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe"C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ganyg.exe"C:\Users\Admin\AppData\Local\Temp\ganyg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mehup.exe"C:\Users\Admin\AppData\Local\Temp\mehup.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5685536c0e1272446d2a40581313063da
SHA17ad7c85993b9969bb5262960be99ac1b5b35eaa7
SHA25605edf07daa1cb8ad2f4362f1240218f1759dcc2ff1e8f843d751c46aaf385636
SHA5126e584327e2aa9d1f6395b015e348f3b97dff9e617a22bcae11be4866b481d9ce32d8adc9306d1529341e631f161e48109ca5569882b4fb82bb5e80ef09dc629c
-
Filesize
335KB
MD5a0c1dffc8f13085f66b92bb96264e08f
SHA1d2eb57cedff263bed9b5d7c2ee860356e6dd993e
SHA2568c319284dd24632a52393732e2abde8b427bd01024cc1e8e152d5729e08886b7
SHA5127fa6c81b71b6b5dbdd21fcbc6d2179a3cd3866d2463538666b3cfdaadbc9a2c9eee9d5cf3c060bfdd2678095e75adfc183d3f8d09fab7618d7443a6c3a4059bf
-
Filesize
512B
MD542105549785302b3429f622d375b9ee6
SHA1beb30f8cbecf093f887cec7dc1ef608908ea843f
SHA25683fe5b495317ed7d98c18ec71c88409fe4ae4d18d4c559fd69ac8fd13421fcb0
SHA51210de4d620de1d69079d7b427547c2a7e33a9bfa58a7b4317851016b897a67026d2b2ae7d836e89337096c86e2493beafebd671d1595be0c40d748a21f4abe404
-
Filesize
172KB
MD5c7f5ea7e1153ddcb87c701c8297f6f3d
SHA1316e35eecb32e031fd704af4034289dd0df458d9
SHA25624953ca84f9f9c47d82593850771394f05229682500bb71fea4178a224162167
SHA512bad26029142b12ed1badec72cba8df18e1178782fdd6fce4a9306711602bfe03441d2415058a479670277d2c0ba040dbc22c2befcc1c84e764dec9cead5a0a90
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB