Overview

overview

10

Static

static

3

6e6e918d43...fb.exe

windows7-x64

10

6e6e918d43...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe

  • Size

    336KB

  • MD5

    70c6382e43012fb0d1636bc74bb11f90

  • SHA1

    6d483c4af8d32a91b1b8f8da35fedbb4311769d5

  • SHA256

    6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb

  • SHA512

    801f884cd7b2d13d4b7d50b62cea35f78ca32ebce8ebd983c7f7d75b47eee95055b4007f241ffc82ac9f876507b201eed70e15da7e5507b46fdd324a4dcc9be4

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcEGC:vHW138/iXWlK885rKlGSekcj66cih

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe
    "C:\Users\Admin\AppData\Local\Temp\6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Users\Admin\AppData\Local\Temp\atxol.exe
      "C:\Users\Admin\AppData\Local\Temp\atxol.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Users\Admin\AppData\Local\Temp\apxog.exe
        "C:\Users\Admin\AppData\Local\Temp\apxog.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3268
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    186c049b7bfe1d05489569beb8542172

    SHA1

    081b9d4c2a1dfc6988b88c233e7bb1916bda1a11

    SHA256

    aaf49c1874435bc14654efe628e3d3911e35cb520ded70b3f74075e96bbd29df

    SHA512

    d50c3242dbdd02e023682ce7ee152fdcfc3f296ec5ada7b7c69b9c9e841771f27c58250900692892d5fe442284f86251d8dfba2fb8ae8963d700ad8f104d36e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\apxog.exe
    Filesize

    172KB

    MD5

    f37356cc1b9adbed0f573ea0ad78ebf1

    SHA1

    781303bb12117713355fecd8c9932175a3ee373e

    SHA256

    dd069d88dfe31f36352cbfb2c9de6a5648c26df6a90a476c864da846edb287ea

    SHA512

    727b3584c8b631e00f7d61a573a64a9d5723ce012d16f2fcdf7dc13514156e40b2630c181942b1427581cf5eb845876da2403bbaded7fd429a7184d631bab294

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\atxol.exe
    Filesize

    336KB

    MD5

    e03c2a33e7ec102ebdba9a86b4f3723e

    SHA1

    cc01dcf764b2479b1fca5d5c97f45618289fab76

    SHA256

    ddab3426b6ffa3b35e1e2d522796c180ff4a3f9d47c79b1f077c09b764f32659

    SHA512

    692602b4b140769cfce150d5cf8f1f80c57914c9b80777f1d0e46c9f717994346baf4e794df983d093c580cb22bc446f0653e4f401393df51c4ae459fa39e366

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    5ce430ef8fe917c70defd2a93b569440

    SHA1

    eca15b0d8823bb74aaa1e0028372bec7430244b7

    SHA256

    306d28b8004eee814a86e697f08a3843087705bb17f2515459ab001942368edb

    SHA512

    c093531b8c08bb985cf6479c8a9a11d67ce258e3e6af46e3ffc538209b474548439eaf722dacc1e609733e5ae855defc3672345e25e73d7202b2c062146a7750

    Download Submit

  • memory/2392-20-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2392-13-0x0000000000FC0000-0x0000000001041000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2392-14-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2392-21-0x0000000000FC0000-0x0000000001041000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2392-43-0x0000000000FC0000-0x0000000001041000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2488-17-0x0000000000F00000-0x0000000000F81000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2488-0-0x0000000000F00000-0x0000000000F81000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2488-1-0x00000000009A0000-0x00000000009A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3268-44-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3268-39-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3268-37-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3268-46-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3268-47-0x0000000000A80000-0x0000000000B19000-memory.dmp

    Filesize

    612KB

    Download