Overview

overview

10

Static

static

3

cc9cd80e3a...4d.exe

windows7-x64

10

cc9cd80e3a...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe

  • Size

    442KB

  • MD5

    fa6e8dd182cec92f3ed6ff7927eaf628

  • SHA1

    612b64625bc72df8ac25d7163b45650647715832

  • SHA256

    cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d

  • SHA512

    885189e84e84e0bfe5f435678af9aeb43a7903ebd5fa44abca16f16adff3f9fa95850df8636c39e56e2751474872fde16ab14a503166b09bdda02f44b7c3b8c3

  • SSDEEP

    12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPr:8Hn6/8NOy+CDQcciQpeoPr

Score
10/10
urelasdiscoverytrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe
    "C:\Users\Admin\AppData\Local\Temp\cc9cd80e3af0e7ae8d3670fd05d6b8f5ae247cf823d3d5554fd56a1f19815d4d.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\uwkis.exe
      "C:\Users\Admin\AppData\Local\Temp\uwkis.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\gyada.exe
        "C:\Users\Admin\AppData\Local\Temp\gyada.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2388
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
    Filesize

    340B

    MD5

    6a7c84720548deff10f32c474b9a4845

    SHA1

    c3d2a47a81104e0960558d134b72b9d9aa4fa546

    SHA256

    4429ab7fac25beea789a89d68e2d73d697565d54aaa797abbce6b2038735c601

    SHA512

    1805e4f0fac1f05b8534fdae77c00fdc41845596364c4544cbde2eaadaa333b24249f8cd50c5cf693639b10171b3d5bd0acf2b91499fad7e26966a3c129db3b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    d85b3c0309689ed4ff54eaae001f1028

    SHA1

    3514caa1e5589f2134e3081d4927b12d243b7a95

    SHA256

    846b23926e6feb406ee989b5b5a41fba9aea2f978457c6e8fe3b9db219fe5cdf

    SHA512

    b28159d4dee80f3374c8f47e96e2d1c74ee407173257d2e4002d47f2f9bde283a4bd3decfad563ddd684c6b210dea605d4afde7533050e58665a375651354e23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gyada.exe
    Filesize

    198KB

    MD5

    b3a404a00db9a68c0af1fcc774303866

    SHA1

    2be23defd7ea782fe1fcbb7db8ccef5c6ee0e71e

    SHA256

    5332dbcac74d0a11f320bc104ddc89d97dac8d85de28491a4aea6149411d578e

    SHA512

    90f2940e56b7cc1511fda7965431bb356524e64a4f1dcc048c4c9cdf600737ac7dd9fa754ffdf92e8a367bc3bcd40758c6cc9aa77a30175c18c5b9d78c92c1c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uwkis.exe
    Filesize

    442KB

    MD5

    5db902259f8117e5b8ebb432291acd65

    SHA1

    b9151a3bcec27d0826381b4074fcc6f09dd4ed92

    SHA256

    231ff8a67be3d969bcdd2489fdbb6fa58c52d79ce23d5d1d47086fabfe2c013d

    SHA512

    c2698c4514a053e1ee5bd45766afdfb847927f5b1d61a5173fc493e0dcc3dbf4067d415a2fef84406c7c5c2b858450acc9df1a324c8b20cd477887ccb9c169f6

    Download Submit

  • memory/1168-1-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1168-16-0x0000000000630000-0x00000000006AC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1168-0-0x0000000000630000-0x00000000006AC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1520-20-0x00000000000A0000-0x000000000011C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1520-17-0x0000000000980000-0x0000000000981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-11-0x00000000000A0000-0x000000000011C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1520-39-0x00000000000A0000-0x000000000011C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2388-37-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2388-41-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2388-42-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2388-43-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2388-44-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2388-45-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2388-46-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

    Download