Overview

overview

10

Static

static

3

a17ca6775c...23.exe

windows7-x64

10

a17ca6775c...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe

  • Size

    335KB

  • MD5

    6b666dfa833ec6d0c62fb67a7ae87418

  • SHA1

    e77f30d849a146b729de8854af4585a39367d7e7

  • SHA256

    a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23

  • SHA512

    c24e16a81378194d8c2369019b40d2da28ed72bb58e4cd39e990f4fbc22ab8bb87d3e4372567874d815490043c594c956e3cc2921d987d567bf1b6836ebd844f

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66cip

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
    "C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Users\Admin\AppData\Local\Temp\kybou.exe
      "C:\Users\Admin\AppData\Local\Temp\kybou.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Users\Admin\AppData\Local\Temp\siyvk.exe
        "C:\Users\Admin\AppData\Local\Temp\siyvk.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:600
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    685536c0e1272446d2a40581313063da

    SHA1

    7ad7c85993b9969bb5262960be99ac1b5b35eaa7

    SHA256

    05edf07daa1cb8ad2f4362f1240218f1759dcc2ff1e8f843d751c46aaf385636

    SHA512

    6e584327e2aa9d1f6395b015e348f3b97dff9e617a22bcae11be4866b481d9ce32d8adc9306d1529341e631f161e48109ca5569882b4fb82bb5e80ef09dc629c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    5578bfbc5c30666a944a7709235554d5

    SHA1

    e9ead275178df7ec2c4a79c4d6eb07c7a66a5673

    SHA256

    b4c786b3c534f862f3c69478aebfe5b26eaf17ec53d865d39b4b4b2df98c3a35

    SHA512

    7c0d12ba4bc33f815017240ce47344bfdcd78e6298748181f26779f646ebc335a2c7b9daddd3f575d05e38e4b34907f1b03b1638fb3c120a967b257eb092b4cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kybou.exe
    Filesize

    335KB

    MD5

    903e477d5148b75c2db665dee5d7d488

    SHA1

    5c02a83e0be089093f7e25778b85e521223ecd2e

    SHA256

    8ecffe1286ecc4f12069d6d9588fae71720659f6831adfec71101cef2f9ad972

    SHA512

    45a9187d77c9564b9d562ae9428306cef376fcf4a1679a891ae8641842bb3751e8aecd6444e2d53f11c551b1ca67e4849189e1b5883f704dd2827f8b6a7bda93

    Download Submit

  • \Users\Admin\AppData\Local\Temp\siyvk.exe
    Filesize

    172KB

    MD5

    5aaf62b3b0ddb82e45b1fc9fa923eab1

    SHA1

    ff2bb59e93e1ca09982e9a2ed9578983709f704f

    SHA256

    50db9cba2c2d251318a476df28f575a99492a2a0e6a97066e3c1502e4845acd3

    SHA512

    8f707b97af5d4f1c866776a92e25d7079fffb0b9adf994b9fbcc8bdbb524011747c24c60a5437b97995a5a48025fa785c32a3ea8df898b088b380f133b311cdc

    Download Submit

  • memory/600-52-0x00000000001A0000-0x0000000000239000-memory.dmp

    Filesize

    612KB

    Download

  • memory/600-51-0x00000000001A0000-0x0000000000239000-memory.dmp

    Filesize

    612KB

    Download

  • memory/600-50-0x00000000001A0000-0x0000000000239000-memory.dmp

    Filesize

    612KB

    Download

  • memory/600-49-0x00000000001A0000-0x0000000000239000-memory.dmp

    Filesize

    612KB

    Download

  • memory/600-48-0x00000000001A0000-0x0000000000239000-memory.dmp

    Filesize

    612KB

    Download

  • memory/600-44-0x00000000001A0000-0x0000000000239000-memory.dmp

    Filesize

    612KB

    Download

  • memory/600-43-0x00000000001A0000-0x0000000000239000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2604-10-0x00000000024E0000-0x0000000002561000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2604-21-0x0000000000220000-0x00000000002A1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2604-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-0-0x0000000000220000-0x00000000002A1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2620-40-0x00000000042A0000-0x0000000004339000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2620-25-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2620-42-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2620-24-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-11-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-12-0x0000000000A90000-0x0000000000B11000-memory.dmp

    Filesize

    516KB

    Download