Overview

overview

10

Static

static

10

0c6c40a2fd...a3.exe

windows7-x64

10

0c6c40a2fd...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe

  • Size

    593KB

  • MD5

    9474fecc38dce4cd41032608f2ceb528

  • SHA1

    8f5ab9143beadf50ac100f9acc972b255f668055

  • SHA256

    0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3

  • SHA512

    db95e17a11b74ee77a8ab15118a39ed677e84d8456c0b2a051592a6428a543ef611abed3c48c975c222332f53b86338080c95b8cec0eca1746cd576dadfdefa6

  • SSDEEP

    6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRF:C4jm0Sat7Az/gZvTIq2WKkw0FT

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
    "C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\cicuo.exe
      "C:\Users\Admin\AppData\Local\Temp\cicuo.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Users\Admin\AppData\Local\Temp\yqdor.exe
        "C:\Users\Admin\AppData\Local\Temp\yqdor.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1128
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    b8238cf0c1a9e2cb268143e19df5b714

    SHA1

    e71395251a8f69a5ce312aa47b2cd4d73576e16f

    SHA256

    830d361f3d638a7a707d4c3ffdb37cae095102707b4d043f5220a5acae15ba4d

    SHA512

    d76d26dbf1a107f26adde7f12b8b0a818427ae8fb4bd72f5a9113d3bbb4c26745784dfb8a0a4704f9ff417ea33630d6ae08c88b272a538975baf1147e6132cab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cicuo.exe
    Filesize

    593KB

    MD5

    31af710249c172376f36c5392a108f06

    SHA1

    a3ac8b871a87a0a7b73587d6b76bf39728904db5

    SHA256

    fc4fd79ea8db7fdbc73e11b968f2bb71eb1487f379d46b1788e3911ee93ccb04

    SHA512

    791145d874f558a2e1d87a0d94e83e5f6f3bb5325ae88008cde58d64cafbdf7d0be96ad833b32cb43231573508563fcf3338c88a6637b2ef3bcd85d3653ac4f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    1e8e7ff46a7fcb19eb0062a43b7e856c

    SHA1

    d8df1d4ffaee86882eb118df158c256c2556b331

    SHA256

    411c525684c84eb0d4f58836b63935d8fbfc3ebb18c2ad339643398f6b223dbc

    SHA512

    065eabfb28ae1ab76491b328821c25cfa5275a26db56eb7d74a9e3f9834ebab48afc90e60dab1b3a747f7542376411e290624cba8586028d4378c99bf6ea8e74

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yqdor.exe
    Filesize

    323KB

    MD5

    0c2bdb92bf69dfc9b6d7eac74b8fde5a

    SHA1

    387817cb5a39ce790bdb4626b8d50a536895e359

    SHA256

    363ac139e9380f500ff68eadd7999edaab4b31389be3decaec4e087157c89876

    SHA512

    e5c48b49923807895c7738537661e7b717e3c682eb1325e298d5688e6134e9eb045ea32115808696b4cbbc699ae4346bfc2de6ef64adae4d7eb5f2496a80518e

    Download Submit

  • memory/1128-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1128-24-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1128-28-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1128-27-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1128-29-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1128-30-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1128-31-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1128-32-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1700-12-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3416-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download