urelas | 094e5340a787eb63c7ec9bc0064e7041d6de24884f13c5de257e6f0951e63f33

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d15c0d80331707818e94006e6c65de2f_JC.exe
Size

403KB
MD5

d15c0d80331707818e94006e6c65de2f
SHA1

3250f10557bfd017102efb801b1877b09cd310bc
SHA256

094e5340a787eb63c7ec9bc0064e7041d6de24884f13c5de257e6f0951e63f33
SHA512

f7672242d0adeec0cb437950d5f1d342b75dd1e0dc81c8cf31a1babeb58f9352b2bff7ae1d2c9dffcd17ee3d6d0920875d42be58b24f705b221060d293d7713b
SSDEEP

6144:GkBy7+8pCOVi3L+w6Vg0lnwzBDFqzRoRXOmbvRQ20M:GUwRpCOVi3aPg0lwzN0RY+mbvr5

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	d15c0d80331707818e94006e6c65de2f_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	hedon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2652	1080	d15c0d80331707818e94006e6c65de2f_JC.exe	89
PID 1080 wrote to memory of 2652	1080	d15c0d80331707818e94006e6c65de2f_JC.exe	89
PID 1080 wrote to memory of 2652	1080	d15c0d80331707818e94006e6c65de2f_JC.exe	89
PID 1080 wrote to memory of 4864	1080	d15c0d80331707818e94006e6c65de2f_JC.exe	90
PID 1080 wrote to memory of 4864	1080	d15c0d80331707818e94006e6c65de2f_JC.exe	90
PID 1080 wrote to memory of 4864	1080	d15c0d80331707818e94006e6c65de2f_JC.exe	90

C:\Users\Admin\AppData\Local\Temp\d15c0d80331707818e94006e6c65de2f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d15c0d80331707818e94006e6c65de2f_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\hedon.exe
  "C:\Users\Admin\AppData\Local\Temp\hedon.exe"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
70385358603d3da7edddb2d9f79508b3

SHA1
1959c155b915b1b4745b2953e7f0cce778bcc507

SHA256
799002212a544b39f2f8d4b80cbf7f882c48af379262664daecdc781c206b7ce

SHA512
1ba0dbec3825aa6f881474e5b615d1260ad9ef8686a27e6e969a7eda2080069d74ab5ced9075a24f22905fab0e715246817d91c732b747eebb4604e8bdb5b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
583e5177e511e64235a55f7f8690c311

SHA1
1fe2e6304185a11413707c188ed42f0aa65798e4

SHA256
6607da4fe21bdee4f9f412db8c925b45da1a9ecdbe769f0efcf52e3a84e79ddd

SHA512
bb46a037c387b64de7f6b09d11fc93c3f6dedff94698b7080787f986a606347da8f37b2380569e05dbcac7632df8e3908525a62b284ea638592c94593fc18ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedon.exe

Filesize
404KB

MD5
6962f82dc326dacb21e9bf9ff6069835

SHA1
8e1de34ced9d95bd1e6b5e35a7476835e17804d7

SHA256
fe01f02468f75a48fe6fed150bc3fd430e40dda0aa32b6588e26a826996c2e00

SHA512
014c1098c5390e726d85ceec4503a315a251f84d827e4c363bae41e0e9536bc7434afb29f59aa5828ac3103aef2afb7d4dd5409b9d0e8a034a4572599af43fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedon.exe

Filesize
404KB

MD5
6962f82dc326dacb21e9bf9ff6069835

SHA1
8e1de34ced9d95bd1e6b5e35a7476835e17804d7

SHA256
fe01f02468f75a48fe6fed150bc3fd430e40dda0aa32b6588e26a826996c2e00

SHA512
014c1098c5390e726d85ceec4503a315a251f84d827e4c363bae41e0e9536bc7434afb29f59aa5828ac3103aef2afb7d4dd5409b9d0e8a034a4572599af43fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedon.exe

Filesize
404KB

MD5
6962f82dc326dacb21e9bf9ff6069835

SHA1
8e1de34ced9d95bd1e6b5e35a7476835e17804d7

SHA256
fe01f02468f75a48fe6fed150bc3fd430e40dda0aa32b6588e26a826996c2e00

SHA512
014c1098c5390e726d85ceec4503a315a251f84d827e4c363bae41e0e9536bc7434afb29f59aa5828ac3103aef2afb7d4dd5409b9d0e8a034a4572599af43fe6

Download Submit
memory/1080-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1080-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download