Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-01-2025 03:44
General
-
Target
bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe
-
Size
505KB
-
MD5
e8c2d1a78d3f6c19c06a82c8fa661946
-
SHA1
3dac0a7c3a8b17bb26283fe5e0f1f2547dc161c9
-
SHA256
bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9
-
SHA512
f572a0740c2c823c3768fe89beebba122ecee8f6c036395908a7b37c2b64885ae1bcc8914e66b3eb97763a779463b3797d12d75eb1f9cfbb3cd6b2d4c8ee7ab9
-
SSDEEP
12288:N/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFO:N/D0caF8wvhb43pDbO
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe"C:\Users\Admin\AppData\Local\Temp\bcad497975477a792314eab89093bafcec62925b46d919d34624a3549588c1c9.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wunas.exe"C:\Users\Admin\AppData\Local\Temp\wunas.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\heobp.exe"C:\Users\Admin\AppData\Local\Temp\heobp.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5470456365dbdf08d67a707931b70b423
SHA1c1568446d3a6daf6e08ba343e1111b6f8cbd83d8
SHA256f0596ed299657ca0cc56dec4c2a6b056517a5697264f6fb5ae0f2df1f4995610
SHA512eef7c083f488e0161fef9dcd2dbd36821fa29c62407b0a2ceef20beef94dcf00969070314c9118237871075d0b60f43368795402236eb96c48cf3085489dca9c
-
Filesize
512B
MD5bf5979c43dc8231f1737349c6b8d620a
SHA19f8de6c7afda627618587e6d6daeed142b72d4e2
SHA25653800b87cc1c9156ccc5943880c07adbbe9a7ce6067c75783bbba27e7e79561a
SHA512351fdc0510bd18f6370ef2de20055238206e375ed9fa587f7dc0c53988c9c48e4514819235e5d847d0fa9ca9dbde0eeafae807735ca032f2cc15e48ca69692c9
-
Filesize
218KB
MD52e21c5920fe4a25912d369c2c2aa778d
SHA17b7326b63b85b9774cf5fda56d0926603945f047
SHA256d7cccf911a2db6ed778643ded91ece94ef2a37c4483644b0881c2db61115476c
SHA5128cab9b8684e61207f358708523d46fd182ec63dd4b8e67882d9f3029d7a82875328462fe13280ae05d5e5f724ca9f34e2c7513406d105762d9ca45f3b4862221
-
Filesize
505KB
MD5cfa9f2a6a69dd422dc52cb30387c17b7
SHA164c684ff109d23981994879a7db599c46e505c04
SHA256bb5af05a14702356971865e37678e97d74ae2cdeea037ba777d564c5d6a571db
SHA512cfb5839213427f6d3d668527c4f6efccabeba3a41a8441ae4ff1a2d614a85501a2dc9f2b91d8079937a610aeb79f8651dfa9851647190265cec0e5df1ec89988
-
Filesize
8KB
-
Filesize
748KB
-
Filesize
8KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB