urelas | 3d7fc49e3aa443f4a2b76f42b5fbb2a440043026559ba753f5f7b25fb80c1c21

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 11:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0dd98e2be17fc66f811c5f0ca7655d71_JC.exe
Size

56KB
MD5

0dd98e2be17fc66f811c5f0ca7655d71
SHA1

a2dfd1dbaed6ab8336882c18999c01f43569872e
SHA256

3d7fc49e3aa443f4a2b76f42b5fbb2a440043026559ba753f5f7b25fb80c1c21
SHA512

91bb32d9753c078efa352228f71641ca566458ba801b0df0cccb7723a73ee4894874d6117dee17c589e8ab64196699622abb74b2012f9a50ba379dcd6c0c18ac
SSDEEP

1536:ZjMcyJNDLl7bSHliJQmpoDX+wtS1syxMD3G9:ZjwfvQlEhpoT3YVWDW9

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	0dd98e2be17fc66f811c5f0ca7655d71_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4680	dofhir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4680	3844	0dd98e2be17fc66f811c5f0ca7655d71_JC.exe	85
PID 3844 wrote to memory of 4680	3844	0dd98e2be17fc66f811c5f0ca7655d71_JC.exe	85
PID 3844 wrote to memory of 4680	3844	0dd98e2be17fc66f811c5f0ca7655d71_JC.exe	85
PID 3844 wrote to memory of 1772	3844	0dd98e2be17fc66f811c5f0ca7655d71_JC.exe	87
PID 3844 wrote to memory of 1772	3844	0dd98e2be17fc66f811c5f0ca7655d71_JC.exe	87
PID 3844 wrote to memory of 1772	3844	0dd98e2be17fc66f811c5f0ca7655d71_JC.exe	87

C:\Users\Admin\AppData\Local\Temp\0dd98e2be17fc66f811c5f0ca7655d71_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0dd98e2be17fc66f811c5f0ca7655d71_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\dofhir.exe
  "C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
56KB

MD5
d6995461926b480b61a5ff81674913fe

SHA1
8bac912d93cf84ff8986133b72a4ab048a2fabc5

SHA256
c74aec2edc17c953ff0cd0db571568779e8e08ba8e2de1dcc60e8343acaaf7d2

SHA512
4ab427dfbd913b8137d56418fc13e423033d13faf98c1c50838159f0c1103e44dea409b84b1e20191dd3ad67bb8a63cdb692427480aa48c1fbb2ed05f30ae857

Download Submit
C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
56KB

MD5
d6995461926b480b61a5ff81674913fe

SHA1
8bac912d93cf84ff8986133b72a4ab048a2fabc5

SHA256
c74aec2edc17c953ff0cd0db571568779e8e08ba8e2de1dcc60e8343acaaf7d2

SHA512
4ab427dfbd913b8137d56418fc13e423033d13faf98c1c50838159f0c1103e44dea409b84b1e20191dd3ad67bb8a63cdb692427480aa48c1fbb2ed05f30ae857

Download Submit
C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
56KB

MD5
d6995461926b480b61a5ff81674913fe

SHA1
8bac912d93cf84ff8986133b72a4ab048a2fabc5

SHA256
c74aec2edc17c953ff0cd0db571568779e8e08ba8e2de1dcc60e8343acaaf7d2

SHA512
4ab427dfbd913b8137d56418fc13e423033d13faf98c1c50838159f0c1103e44dea409b84b1e20191dd3ad67bb8a63cdb692427480aa48c1fbb2ed05f30ae857

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1bda36d555a6a668c71a805d0fef7b43

SHA1
63ef5ec40ea61e0803c5f988c5f5b1fe5834eeab

SHA256
91fc9a1836c535aa1bfa3288c635d24a44b76f9837702d0540fa8c1b97551a4c

SHA512
5b01bfe55ff24db66250d5555b29fae4c24d988827b47301fc319dafcabd33ab2944789395c35a002919ebcf042da989d8cfa95349c3f7344d58b20b31b23ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
280B

MD5
f2d9d63a1e9dddf91ed985c91bf48751

SHA1
fc648371bf3a053db307995137d182c79522d43b

SHA256
424c3c1f9f7a33ffe2b7b6760e3d1d7804b0f699c1e0df871153e373b217db72

SHA512
41573a3a42c168a47437ab3152afce5cf88625605ea24b36f1f40575d396192d0830d24284ca35614348dbe931f9db85b0fc5730ae0653ec9218438f842b422b

Download Submit
memory/3844-0-0x0000000000CF0000-0x0000000000D19000-memory.dmp

Filesize
164KB

Download
memory/3844-14-0x0000000000CF0000-0x0000000000D19000-memory.dmp

Filesize
164KB

Download
memory/4680-11-0x0000000000480000-0x00000000004A9000-memory.dmp

Filesize
164KB

Download
memory/4680-17-0x0000000000480000-0x00000000004A9000-memory.dmp

Filesize
164KB

Download
memory/4680-19-0x0000000000480000-0x00000000004A9000-memory.dmp

Filesize
164KB

Download
memory/4680-25-0x0000000000480000-0x00000000004A9000-memory.dmp

Filesize
164KB

Download