Overview

overview

10

Static

static

3

79f1b9a2ad...d4.exe

windows7-x64

10

79f1b9a2ad...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 08:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe

  • Size

    338KB

  • MD5

    7730300521b224a4da2d229a23ee29be

  • SHA1

    62658aa96fe03c486e556f494b45b3a99fa81df0

  • SHA256

    79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4

  • SHA512

    6dcbcffef2db950e9bfc272aca494a1279486d00bed0d754c28514ad86cdadbb3629dd28c50e8777d9594d0b5f4dc889cc3a9338192ceaf8ac09e5e8f240db4a

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKo5pF:vHW138/iXWlK885rKlGSekcj66ci8

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe
    "C:\Users\Admin\AppData\Local\Temp\79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\heriu.exe
      "C:\Users\Admin\AppData\Local\Temp\heriu.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Users\Admin\AppData\Local\Temp\xolim.exe
        "C:\Users\Admin\AppData\Local\Temp\xolim.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    4bdc6497043a11b4c1ea9570b78fa632

    SHA1

    9670e689b4afea0d5a92ebac883220073c7a5770

    SHA256

    2bd6369057c86b400c5ecaefa4d6080b36fbcb29521ce01419931f34840d69c0

    SHA512

    cf82eefd80cbd9fa94aab54a32acc5813ac10607785b5d477d51dfccd3d93cc8bec90710108df0d6477a56ef1bb8911c564e0c2a404ea0f3ae717bc2cccdf36d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    a563e45556650fe0117a5e20a66e8822

    SHA1

    a6457ad12d99f3ed59aaed3e635f3d9fe86bc356

    SHA256

    c336bb127dfd13726537ab4ba720e62cb604212c502a26197812f11c8f570c88

    SHA512

    865e9ef4b0da286c8f2c7aa86a784352707bd120cfab1aef5af2dcec80cedfc7d626437eb8b92cdfc7db31d9199cfd04e0ad9484ffba71a7b6de472d9e5d4cc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\heriu.exe
    Filesize

    338KB

    MD5

    e388dba4b63601f988d8ee063dddfe58

    SHA1

    800e2547ad9de2bef67027f1ba56818f82c1137a

    SHA256

    125dc55007cbce75c0dc686a6aea2f34b8165eca48b74124da60ba26de61c677

    SHA512

    ad13f8a37a6065e122ed9fb559ed95f4300a4d0edcf934a61f3c0182fd133e9bef90064ee89ad20a3d386e627e9820a516b146a66b57d283832347975b381074

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xolim.exe
    Filesize

    172KB

    MD5

    38d4a399e7f208456ca238212fbbf699

    SHA1

    99510524dd8d43559f375d47ea049b7da5760253

    SHA256

    e3247ad94e0434c2c84fa3a87d8329db32b7057eb3c828ccc17486bc4f8ad8e1

    SHA512

    455cf498024c409338c724e73c9d300d697d617f378965ee24f67c381f459fff15957267cde3ce2a647ff565ae64fa10a189d75e836319265d411f7b98140d6d

    Download Submit

  • memory/1720-42-0x00000000003D0000-0x00000000003D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1720-46-0x0000000000060000-0x00000000000F9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1720-45-0x0000000000060000-0x00000000000F9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1720-39-0x0000000000060000-0x00000000000F9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1720-38-0x0000000000060000-0x00000000000F9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3024-1-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-0-0x0000000000B20000-0x0000000000BA1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3024-17-0x0000000000B20000-0x0000000000BA1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4436-14-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-20-0x0000000000360000-0x00000000003E1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4436-43-0x0000000000360000-0x00000000003E1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4436-21-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-10-0x0000000000360000-0x00000000003E1000-memory.dmp

    Filesize

    516KB

    Download