Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-01-2025 03:43
General
-
Target
106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe
-
Size
336KB
-
MD5
184521dc985f9347420decd07ebb3d1a
-
SHA1
a97891c7a46cc0cc8e88a8d60ef4c7b91044d136
-
SHA256
106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0
-
SHA512
0c5b90441faf0057e8016f6dc696acd7860eb0cf7884f110299cf7727a249588a5cf7bbb76c2633113521acc71956e449eb07cf8cc52f54eae5831d4537a9d93
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKv:vHW138/iXWlK885rKlGSekcj66ci3
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe"C:\Users\Admin\AppData\Local\Temp\106a93d92afba2835a8d35b6b8477dc618e300a552dec4e12c6edc34794280b0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vilod.exe"C:\Users\Admin\AppData\Local\Temp\vilod.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nirym.exe"C:\Users\Admin\AppData\Local\Temp\nirym.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5cf966dec08dde4c3034c5a706d158e3b
SHA1c33b0e814351a9171961f81f518bff55e4d8869a
SHA256017d9fabd48f983facaa2620c870ebe44f8d0ef5eb7dda609fd87825b4c68ca1
SHA5121a559c741e53669a9459b3bef758016c4819f58dac75209caf81be1e9f86bd2be89b3d09e6529931d834821c994fe4503e229b3ec29b8d2e598e7ea4077101ce
-
Filesize
512B
MD5719b67bdcc49531b48198adf1d20c5b4
SHA1211c66b8c2f0834ab3fc256d6944e7a4cf0dd706
SHA256f4aa0e1f90b0f55ef413f2ab84737dabacaf0d5378c87bf3c9d48768d99cc540
SHA5121c132a9eba9ada8858bed911e9ce66583cdf8a9cda6d291bc3f6261399c7f9934d4f4cdbd7c895caedb8775231d270330787be5ebacffc59ed048ecbdc9a48fe
-
Filesize
172KB
MD5184110d97afb73af6d54ab028e73c1aa
SHA122e338c0cc8239ff39b042b3d30e15240968393c
SHA2566926da885e905dac5cdb3afd3e6dbf2f4d2f26c46fee6ce54df863fa931d063f
SHA5123514d1bf490796b9f868f39d717ba15d0a319931bf162ce441ed4a1d75aa3c46be457dc3e4958a78a613332868bd00e20b0fe621de04d87504569e2e3860d59c
-
Filesize
336KB
MD542f2a481f61015f7992d7e2e06a7496d
SHA1aa1576ae92cc42530d6e576a12705aaa3c5de685
SHA256e1ad958e177ed17d67541ce703cc2f2477b191fd201b6e4bc194a44309611c04
SHA512ab4660950dde5a982178425ad7acc25b742f313e1942c64b866b3418cc975cf039bfaae75410707f0c4da39bea3c0e869af04f4e6f926f9a7ce53bd02a5e03cf
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
612KB
-
Filesize
612KB