Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-01-2025 03:55
General
-
Target
6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe
-
Size
336KB
-
MD5
02c93b7e5787309e5449f494b60ff083
-
SHA1
6facdc23d4875cbfc5d61a615685a1704a05452a
-
SHA256
6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e
-
SHA512
a2a17cab1d187187a1568738db0dc9c534c3869a611298f207a58dc12f122ff4ce7e00f188e6af2612b7aa08172c3cd50dfc6e8463f203b10c035a79e35f8d6a
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKo3:vHW138/iXWlK885rKlGSekcj66ci6
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe"C:\Users\Admin\AppData\Local\Temp\6d2ccc1f90a3a346e7821353dba28e37083615cbfb182747bd391512191a9f4e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gafap.exe"C:\Users\Admin\AppData\Local\Temp\gafap.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cuseq.exe"C:\Users\Admin\AppData\Local\Temp\cuseq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD563e5603d82f6641aa23a0cf86630138c
SHA13c86eb01841decf6c6d607c7adc5e0b90d43a588
SHA256c20ffdc0bf5230c7a8774a274441987790d0e695da9eef48e51d1d667059b464
SHA51276f2acf6d292c3144f0a26e2392ec740e9b8c1782f9120a6d981f61c1e5274cb1179517af31ccd68d2cec956cb487bd3852e80ba3b5aea108fe97f75fd4c9610
-
Filesize
172KB
MD5cc9487946d26a875e8d5b7344ca048b5
SHA128e158469414a9af009576ebd2bb8894a604e49d
SHA2568d7153ba3b69f83454b3c370c0110517a9d73d9bb83808b61e0cce868e417931
SHA512a9f07b35e996d823b168032e3f21af3a7a93e39c38e1dccf26cb2baa349af56484c8f797e7acf10e9e3b0812819f4af902919de255d46d05820acc0c77b86552
-
Filesize
336KB
MD57ddbb1896236dbd4a0b3e8801a1a0516
SHA1278e97b29fe0e75befea662de73d4d0b2be84876
SHA2564a8b1d775c41bcc6f1d510cc6bd6bc6eb318ad0c3371d540765b7e55bcc5d4ad
SHA512e6d6fd8a546ded43da1c6ca3d2e0c56973f296116bd9fe3ca2771d6a8ef3a2c04f8bd8fd7154ae8bda324db1296d1f2a70ab12e8b439fafb367e80b2d9680101
-
Filesize
512B
MD577c74b3f32bd920f48bc318f1358ffec
SHA1762b6c15aac264be4ced1bfbec2024f8c1a4e038
SHA2563b5330afbcf09f26165e7e64aeae14628290c200390675e6c6b7ca20960d6120
SHA512f8a046fc2c518ea0d29ca222f5d8647a1c4809bf8e85ee01f7f076d9d1e584685a01468bc66640d00b6cb5108b8f62c7c854041ccb4f71fe588bee2add12aec8
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB