urelas | 48c977d3a1e9bbc7b29b162574cc573213bd8cb4c4e06c52fc46ea48fff89a5b

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2023, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

618ac6d1589cb78955bfa5ad969f59a1_JC.exe
Size

467KB
MD5

618ac6d1589cb78955bfa5ad969f59a1
SHA1

2181bf81988d24c067c9b95f715d505b02bed07c
SHA256

48c977d3a1e9bbc7b29b162574cc573213bd8cb4c4e06c52fc46ea48fff89a5b
SHA512

a885ab042c93b00e3798364e6f61ef800994ce917e52efe12996abae9077308174ec33de1e6e66ecea514c4a4f58f92f24b26d302af84bb374e2c70df5345bd0
SSDEEP

12288:93CtSokfFGUMKwlTIU/b37dJ75WEe+eKTxB6mP:9x9GzHlTv/b35tecFB6C

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	618ac6d1589cb78955bfa5ad969f59a1_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3728	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3728	4516	618ac6d1589cb78955bfa5ad969f59a1_JC.exe	87
PID 4516 wrote to memory of 3728	4516	618ac6d1589cb78955bfa5ad969f59a1_JC.exe	87
PID 4516 wrote to memory of 3728	4516	618ac6d1589cb78955bfa5ad969f59a1_JC.exe	87
PID 4516 wrote to memory of 3796	4516	618ac6d1589cb78955bfa5ad969f59a1_JC.exe	88
PID 4516 wrote to memory of 3796	4516	618ac6d1589cb78955bfa5ad969f59a1_JC.exe	88
PID 4516 wrote to memory of 3796	4516	618ac6d1589cb78955bfa5ad969f59a1_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\618ac6d1589cb78955bfa5ad969f59a1_JC.exe
"C:\Users\Admin\AppData\Local\Temp\618ac6d1589cb78955bfa5ad969f59a1_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
283B

MD5
eca56e881be090bbabfaa0d99e3d2e75

SHA1
caae1fec7bdb91d74e4fd229af8f8f4c200fadb9

SHA256
43b58cfdb33f3ea8b28e536924dff6cab2c0e5c44ef4ab7927275e7c05f9eae5

SHA512
6f7f2afe5d14fb81e84c8d94f8d491d32909b3a77eef80968935d5614251def30dd50866cf73b5f62bdfc5785908f9f409ed02b74082653093631a802665af0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145cec05d8d704ff7aa3d812b1aff628

SHA1
097ae09965ed3804359803708b8af87b5b90fcbb

SHA256
66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea

SHA512
1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
467KB

MD5
b7c5a44ccca9fd3d8d51713d126b5803

SHA1
64e2a09755ac90b8a1e9032332c39a1ca1a648bf

SHA256
b3387e34c64b670a2ced5a475b20de7a2f6dab0f9f425eaa11b88b16ad537245

SHA512
e016f80cbd2699933659e5ae0c334eded97c13d206df2b51e06ed840a38653ee99134a796fc0e36fc6c0ae2faba5af63f69c8f6bb80b44861b753f55bc43f191

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
467KB

MD5
b7c5a44ccca9fd3d8d51713d126b5803

SHA1
64e2a09755ac90b8a1e9032332c39a1ca1a648bf

SHA256
b3387e34c64b670a2ced5a475b20de7a2f6dab0f9f425eaa11b88b16ad537245

SHA512
e016f80cbd2699933659e5ae0c334eded97c13d206df2b51e06ed840a38653ee99134a796fc0e36fc6c0ae2faba5af63f69c8f6bb80b44861b753f55bc43f191

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
467KB

MD5
b7c5a44ccca9fd3d8d51713d126b5803

SHA1
64e2a09755ac90b8a1e9032332c39a1ca1a648bf

SHA256
b3387e34c64b670a2ced5a475b20de7a2f6dab0f9f425eaa11b88b16ad537245

SHA512
e016f80cbd2699933659e5ae0c334eded97c13d206df2b51e06ed840a38653ee99134a796fc0e36fc6c0ae2faba5af63f69c8f6bb80b44861b753f55bc43f191

Download Submit
memory/3728-10-0x00000000009C0000-0x0000000000A42000-memory.dmp

Filesize
520KB

Download
memory/3728-13-0x00000000009C0000-0x0000000000A42000-memory.dmp

Filesize
520KB

Download
memory/3728-19-0x00000000009C0000-0x0000000000A42000-memory.dmp

Filesize
520KB

Download
memory/3728-20-0x00000000009C0000-0x0000000000A42000-memory.dmp

Filesize
520KB

Download
memory/4516-0-0x0000000000FE0000-0x0000000001062000-memory.dmp

Filesize
520KB

Download
memory/4516-1-0x0000000000FE0000-0x0000000001062000-memory.dmp

Filesize
520KB

Download
memory/4516-16-0x0000000000FE0000-0x0000000001062000-memory.dmp

Filesize
520KB

Download