Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-01-2025 15:53
General
-
Target
ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
-
Size
336KB
-
MD5
af16791ad664dbfb2e700be33ef6833e
-
SHA1
200af680d9afd7478405ce73100275eb26dc451b
-
SHA256
ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb
-
SHA512
03b59cbff8889d256946b36507d8c460cc74536e76a52ed76c39bdb2b4c7f32d22ce2c33870a521cad376c759a85d6d4b4b08406916b7d566cfd0b3dd2b7c40e
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrc:vHW138/iXWlK885rKlGSekcj66ci6
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe"C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\oxnab.exe"C:\Users\Admin\AppData\Local\Temp\oxnab.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dibol.exe"C:\Users\Admin\AppData\Local\Temp\dibol.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b4e79e0f794ffabf6e410d4b9d8ab9e2
SHA16f8bf0c97b7d39bd1603de5d4132db36ce0b402f
SHA2564bf337a3b57c15ad8b0975636630e8db677a9c8301a5566dab44a584b1205be2
SHA5129b955287ecf2d8f385d1235357fada05901cbd75572556d9efc4eb12073d3b7f34f190e53c3c8668db98cb5357f65c4fa2531cad26eaa85bf25011559570ec6c
-
Filesize
172KB
MD5c88bfc01dccc521301598b2f5b03fa71
SHA19302b616838d07b1fbb54b7b490eb6d8ea637c93
SHA2563969cddd19a81573146d9eeafb61cdc86dfcfaa7c6bc7f522548b593bf8f9faa
SHA5120300a475e1ab8a06748c737d6ac901b57e2ad710b47a344b0aa108f91139ca9bdc20c909ec5ded7596186ef0e7f6b89f7d80ddfef35bad53bc221cd1f988b649
-
Filesize
512B
MD53ecafd3c91f08af8860448b4669cace7
SHA11a9c0b405d08a474bb9ae12947487066d9f61afa
SHA25661e5e1375d0e1fa55ed13b7bb869a144619d16a9e080b5300255fc8546c6d247
SHA51229acc1c05aed4472e6a7d928e77bb9ee4726ad09ce6c61a0c3ce39b7d5943baaeeb3ca3e3aa96a5dff4e1969efc93260219387b292246b3a133458a63fb3a8fe
-
Filesize
336KB
MD5bbebabd18581eeb3b9ef3a0b0fe76b2e
SHA1c3d4b072eca4aa9d1b4a0281d8568407e02cbdf2
SHA2566abf4036220a3c45586a50b82b6bbb46c23e782ff0d4df906750c2c9540264b8
SHA512bc206c063007d0977a873e17e57db93009bd24b46eb96f2e063d0e6a46656383a031846b469f87336982bdbd45842d247138da11df835d2b3f933c9ca5a26c4f
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB