urelas | f47dac99ccfaf1d1e12273bfc0ec20db9bfa85a111b9c754ca9e209133f11a6e

Analysis

max time kernel
138s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe
Size

141KB
MD5

79f32ad8875d9c96a538ab5894973571
SHA1

f83a9084b7ef7e7031a061c69c254aa3156a17e1
SHA256

f47dac99ccfaf1d1e12273bfc0ec20db9bfa85a111b9c754ca9e209133f11a6e
SHA512

8f9a8dfab3e9274b0fd44ee9303d9b86f467a650366688895437e92eede201f5272347771914ca85f5879e898f17f9235f9df309a435997dc657cc267d57455f
SSDEEP

3072:K3kHmMsmRUOMfCECCeZlmgchdvz6xs9PY0X85jx08aAP52jKR2jKqRWX:zHbRUOqwC4mgg44jKojKqRy

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	panc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2496	1864	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	90
PID 1864 wrote to memory of 2496	1864	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	90
PID 1864 wrote to memory of 2496	1864	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	90
PID 1864 wrote to memory of 1260	1864	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	91
PID 1864 wrote to memory of 1260	1864	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	91
PID 1864 wrote to memory of 1260	1864	NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.79f32ad8875d9c96a538ab5894973571_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\panc.exe
  "C:\Users\Admin\AppData\Local\Temp\panc.exe"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aac4d5edc405adf19bd0fd5037acbb60

SHA1
2653f2a47f00bf181180a3ed255df2bc3754e0f0

SHA256
516c7b4fbb08c3de1db0a920ce7191aea6e1498c458f16cb5d1e5a892c948dcb

SHA512
6290fd7939ac5e69d9df5d5374b6fd5e15efae9a94cc6f2a4f149711ad25a1d44207a0bce1cc0ede04c66735af2a005cc1de8a042e9acfe560c0c21ec5755df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\panc.exe

Filesize
141KB

MD5
0f133ce6033f4d3af4f9568290cd8e7b

SHA1
7e47f09cdb4e703657e3ba1306c31b2b37bd085a

SHA256
ec4003eba498234b8d449737a208fe9ab2bbd3c3d2795a20afcb15dbb565bd27

SHA512
85266530994dd5818d9f34a905465f861595fac26ec5871722398ee8ccc1e591e18d53b0663e40a45af727e520bc86db5a9d63f77b5016c0e53b1113306cf989

Download Submit
C:\Users\Admin\AppData\Local\Temp\panc.exe

Filesize
141KB

MD5
0f133ce6033f4d3af4f9568290cd8e7b

SHA1
7e47f09cdb4e703657e3ba1306c31b2b37bd085a

SHA256
ec4003eba498234b8d449737a208fe9ab2bbd3c3d2795a20afcb15dbb565bd27

SHA512
85266530994dd5818d9f34a905465f861595fac26ec5871722398ee8ccc1e591e18d53b0663e40a45af727e520bc86db5a9d63f77b5016c0e53b1113306cf989

Download Submit
C:\Users\Admin\AppData\Local\Temp\panc.exe

Filesize
141KB

MD5
0f133ce6033f4d3af4f9568290cd8e7b

SHA1
7e47f09cdb4e703657e3ba1306c31b2b37bd085a

SHA256
ec4003eba498234b8d449737a208fe9ab2bbd3c3d2795a20afcb15dbb565bd27

SHA512
85266530994dd5818d9f34a905465f861595fac26ec5871722398ee8ccc1e591e18d53b0663e40a45af727e520bc86db5a9d63f77b5016c0e53b1113306cf989

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
c635b812ea49e55d192a94a3eef7672f

SHA1
47df60df111f3b54e2603126454962954a48fa1c

SHA256
3bb66fb5c11aef4d4ba2d320aef813ca36d465d2f6db8f44a5bae204a73bcabd

SHA512
1576b92f1c59391f8ffbe527bdf3d8c517152a6dcb6ff3a6a7fbf48e5f53e7c93a23cbaf2dba7b5d5aa6490c572727cdb3c60fdd917b19a71aa0a2819beec0b4

Download Submit
memory/1864-0-0x0000000000590000-0x00000000005BB000-memory.dmp

Filesize
172KB

Download
memory/1864-1-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1864-16-0x0000000000590000-0x00000000005BB000-memory.dmp

Filesize
172KB

Download
memory/2496-11-0x0000000000C00000-0x0000000000C2B000-memory.dmp

Filesize
172KB

Download
memory/2496-13-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2496-19-0x0000000000C00000-0x0000000000C2B000-memory.dmp

Filesize
172KB

Download
memory/2496-25-0x0000000000C00000-0x0000000000C2B000-memory.dmp

Filesize
172KB

Download