Overview

overview

10

Static

static

10

b05ed627dc...24.exe

windows7-x64

10

b05ed627dc...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe

  • Size

    633KB

  • MD5

    bedf5ef24508a60e2459fd9062b4ac36

  • SHA1

    3ea78acef799ce1599af184e26611c6f363324b8

  • SHA256

    b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24

  • SHA512

    d24ca9809f1acbdbbf44f98ebe95b6938ee4c33c3e43ae196cf5c5544d6f88d8e47753e83a062f7c69144adfe39664b88f0c5909edf141c0311b43dfcb77c4ca

  • SSDEEP

    12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsdd:5UowYcOW4a2YcOW4u

Score
10/10
urelasaspackv2discoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe
    "C:\Users\Admin\AppData\Local\Temp\b05ed627dcb8d0dae63329e1d69491dd49deac708e3f6ca5c41b03d95a308b24.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Local\Temp\luovt.exe
      "C:\Users\Admin\AppData\Local\Temp\luovt.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Users\Admin\AppData\Local\Temp\lelyy.exe
        "C:\Users\Admin\AppData\Local\Temp\lelyy.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3784
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    dff9241e398129e5231245c4a6cff3e4

    SHA1

    9d07e2a8e82bb1965a8496737ec6c78c1dbd32f2

    SHA256

    3b190ce06aaebe8f90da68d6e17f72493426518d3bf63c7c02ea83c00b63e481

    SHA512

    18766b41f461dbd97554426962579b21a7237e6f34507b98a54eb81c1db096523ba43cb51a219f8f45d0c4a637828791c360ce085cb0e30e3030ce678e5b95e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    fe9217fdfff6f456cfd0ee82b0c414eb

    SHA1

    e04a1559319f923b9a610ff1e24f6254eef3e983

    SHA256

    26ef6789c19a73c733abf9afe8bc17e28bc3f498b56dc6b7ebfb458911581685

    SHA512

    ffc15be04717266a2d26205c65238ff4baffda40e7f204edad3d5aa1394303db423536a64a78bce8df428765af91f61be0096258de27135f4c69f814a699154a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lelyy.exe
    Filesize

    212KB

    MD5

    9473d3c5d92450d1b35bd22fe5665cf3

    SHA1

    b2f8669e78b7030f2cb968c228303b6b899d3b6b

    SHA256

    244f1f844d875e535d3a06ee652b2a6647be00483b3605744c92c2f0eace0140

    SHA512

    85d508e459aa203101b6fb794c3b147d81b5866d3bbcc38c99fdcf7d8869474342f6a194d223569899587b00c52818ae36abbc20cb6a9ff799b699e2bb139a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\luovt.exe
    Filesize

    633KB

    MD5

    17d90239bdef3aecbb6fad0b0d88611b

    SHA1

    e77901bd432b1e517e5acbd8c92916fa423ddf70

    SHA256

    34a4cc3261a9b1383fe6f45114f661e3a7a2fcebf3f6623ea7805404b2cc9b59

    SHA512

    070bb52b2dd49cc1690d0f32bafc1d12835c810541c6503e43cb5302305f72bba080f7a7e667457761af2a97fcfb98633f436f1b0810d6f02bce7692477d00f3

    Download Submit

  • memory/3784-31-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-28-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-26-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-25-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-27-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-32-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-33-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-34-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3784-35-0x0000000000490000-0x0000000000524000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3976-16-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/3976-29-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/5088-13-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/5088-0-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

    Download