urelas | d0d73efe8ddf13325f7f136d18c18b0e8584a0747129ac7994a88054a448b168

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3994c840d6f44530b65344ae7db13510_JC.exe
Size

436KB
MD5

3994c840d6f44530b65344ae7db13510
SHA1

291b9f6494d6a4b3f105f8d91b558f90582164c5
SHA256

d0d73efe8ddf13325f7f136d18c18b0e8584a0747129ac7994a88054a448b168
SHA512

dad1da2bcdd177da87c6476268b8eb7c352c9890dc754c35320825dde5ecb320cbe6cb772eb74fd08547537cce9306f8fe4c68caac2ae534e52636aa2265eade
SSDEEP

3072:yZ3vlHjQhJ3wE8iGK01Py3Vvsa26nfjQb6uNHG+yi38/rwdusS9V0alO2alNjgSr:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjoO

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	3994c840d6f44530b65344ae7db13510_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1904	giijo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1904	1928	3994c840d6f44530b65344ae7db13510_JC.exe	87
PID 1928 wrote to memory of 1904	1928	3994c840d6f44530b65344ae7db13510_JC.exe	87
PID 1928 wrote to memory of 1904	1928	3994c840d6f44530b65344ae7db13510_JC.exe	87
PID 1928 wrote to memory of 1940	1928	3994c840d6f44530b65344ae7db13510_JC.exe	88
PID 1928 wrote to memory of 1940	1928	3994c840d6f44530b65344ae7db13510_JC.exe	88
PID 1928 wrote to memory of 1940	1928	3994c840d6f44530b65344ae7db13510_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\3994c840d6f44530b65344ae7db13510_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3994c840d6f44530b65344ae7db13510_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\giijo.exe
  "C:\Users\Admin\AppData\Local\Temp\giijo.exe"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
745c761610d54273088f162b02159ff8

SHA1
8e1d5a30b94bc32a89a4fa03d63c1904333143af

SHA256
76bf7f32d3daa0b7ac4396446ab14d616f774ffeeed76c40addf3e56e38069d6

SHA512
e1053d5b73ff6b11edb513f4ec1f8ecebd3c4e9805bae3d07cb2fb0fb3b9441c68efced3e37b2fe61c9aeef9555c5b8e4c3de9d69a8dc8118e3cbeb04765af55

Download Submit
C:\Users\Admin\AppData\Local\Temp\giijo.exe

Filesize
436KB

MD5
03c0c7a2b87e43af46bef9f92b1cb526

SHA1
a6ca6e0a14940afce9d66cd2524aacc6c852fcc0

SHA256
19f6a64ae98559100af2080ed34bb8e50fc2a62552702a78507f2557b851200c

SHA512
69604fb4d1a7b5bb6fbecc7a9dfed1cb9433459954e210847aebc5a4191022fcf4ad518fd8a511eab04afaf18f405be2116666d5f42f69ec0bbc4aac87af9ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\giijo.exe

Filesize
436KB

MD5
03c0c7a2b87e43af46bef9f92b1cb526

SHA1
a6ca6e0a14940afce9d66cd2524aacc6c852fcc0

SHA256
19f6a64ae98559100af2080ed34bb8e50fc2a62552702a78507f2557b851200c

SHA512
69604fb4d1a7b5bb6fbecc7a9dfed1cb9433459954e210847aebc5a4191022fcf4ad518fd8a511eab04afaf18f405be2116666d5f42f69ec0bbc4aac87af9ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\giijo.exe

Filesize
436KB

MD5
03c0c7a2b87e43af46bef9f92b1cb526

SHA1
a6ca6e0a14940afce9d66cd2524aacc6c852fcc0

SHA256
19f6a64ae98559100af2080ed34bb8e50fc2a62552702a78507f2557b851200c

SHA512
69604fb4d1a7b5bb6fbecc7a9dfed1cb9433459954e210847aebc5a4191022fcf4ad518fd8a511eab04afaf18f405be2116666d5f42f69ec0bbc4aac87af9ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ab7b8836961c45ee2710118e0028c578

SHA1
b74594c4ba37d33a6e1afff4760c0141f861f04c

SHA256
568fa418dfefb41e3c4a4499679d43a38d29bcd6693a839aa7dba15d05b7c976

SHA512
f35e84e6c0d9063d474b94a8beb0fffc618df0585cfab8152897123370dde3aba42a3eaec998c8fb80b5dbeff120347fc6251efb8a2c82ffc8d0d7266aad77a2

Download Submit
memory/1904-11-0x0000000000BB0000-0x0000000000C1E000-memory.dmp

Filesize
440KB

Download
memory/1904-17-0x0000000000BB0000-0x0000000000C1E000-memory.dmp

Filesize
440KB

Download
memory/1928-0-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

Filesize
440KB

Download
memory/1928-14-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

Filesize
440KB

Download