urelas | 1bc7be609a83bfa86ee69afd364420968cf6e37e4f2720e61c2b2fd70fb7a8ec

Analysis

max time kernel
125s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe
Size

141KB
MD5

a104af8e0067fd605e098d1b24e13410
SHA1

c881014e7aadc7ebed912f1d07d25a4109b9ab3e
SHA256

1bc7be609a83bfa86ee69afd364420968cf6e37e4f2720e61c2b2fd70fb7a8ec
SHA512

0b7db8820505dd289afcd898256c8228d9693f3433f6ee14d89348839762397625deb15b15c51ec2e539a086a5fabc8f225b4b8634fc7b027aa48486cc7fd190
SSDEEP

3072:K3kHmMsmRUOMfCECCeZlmgchdvz6xs9PY0X85jx08aAP52jKR2jKqRWQ:zHbRUOqwC4mgg44jKojKqRb

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
780	vmqa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 780	4124	NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe	89
PID 4124 wrote to memory of 780	4124	NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe	89
PID 4124 wrote to memory of 780	4124	NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe	89
PID 4124 wrote to memory of 4232	4124	NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe	90
PID 4124 wrote to memory of 4232	4124	NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe	90
PID 4124 wrote to memory of 4232	4124	NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a104af8e0067fd605e098d1b24e13410_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\vmqa.exe
  "C:\Users\Admin\AppData\Local\Temp\vmqa.exe"
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c7206954aef658c44b70e9bf8b6d6af6

SHA1
8749fa4027a48155f82d75e4f6f272e7a1eeb624

SHA256
c5761e1bc4777a842695a0bc00843508c579aef8d449c8372da1d0e06b040236

SHA512
4609f0d0078bb412bdfd7136ce16cd1d78ab12fbd4c054ab30c65fbc8e93454fd2e4719c892a48b170423a321bb26f3dbcd9813780d4e10eb765d51a687786f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
a79a57bbbecc50d6c574441b8d73b195

SHA1
d03228140e56cf040d953a946374fed031d03525

SHA256
c8df68da88a1156dc617f6c191d854f601072a204f99665b4e8a83057f2532ad

SHA512
5f9fcc73175173ca7085d4a718bf2a4546ed4710f62ad0efc1f03305a800205716dc08007ad36cf677a394140432c0c0190bb70824dd9be48022de64f0c25816

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmqa.exe

Filesize
141KB

MD5
ca4a75532ab97d3af9a8ecbe5ca1e301

SHA1
5dbb090e8e08ee95b7ca71b6a49006e8395afc4d

SHA256
05313c3f7512e0d94a56a4899d5e17b891d557d2a07d17a9b818b907a4c4132d

SHA512
b75214d5db08aff3dfec418b528805881168c2d81f262aa3601644af66d61e4cd4d300a18ca54c9fb67cc3e318c2e26dc28113975c7edc79b56c75869f772bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmqa.exe

Filesize
141KB

MD5
ca4a75532ab97d3af9a8ecbe5ca1e301

SHA1
5dbb090e8e08ee95b7ca71b6a49006e8395afc4d

SHA256
05313c3f7512e0d94a56a4899d5e17b891d557d2a07d17a9b818b907a4c4132d

SHA512
b75214d5db08aff3dfec418b528805881168c2d81f262aa3601644af66d61e4cd4d300a18ca54c9fb67cc3e318c2e26dc28113975c7edc79b56c75869f772bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmqa.exe

Filesize
141KB

MD5
ca4a75532ab97d3af9a8ecbe5ca1e301

SHA1
5dbb090e8e08ee95b7ca71b6a49006e8395afc4d

SHA256
05313c3f7512e0d94a56a4899d5e17b891d557d2a07d17a9b818b907a4c4132d

SHA512
b75214d5db08aff3dfec418b528805881168c2d81f262aa3601644af66d61e4cd4d300a18ca54c9fb67cc3e318c2e26dc28113975c7edc79b56c75869f772bd8

Download Submit
memory/780-13-0x0000000000D20000-0x0000000000D4B000-memory.dmp

Filesize
172KB

Download
memory/780-14-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/780-20-0x0000000000D20000-0x0000000000D4B000-memory.dmp

Filesize
172KB

Download
memory/780-26-0x0000000000D20000-0x0000000000D4B000-memory.dmp

Filesize
172KB

Download
memory/4124-0-0x0000000000600000-0x000000000062B000-memory.dmp

Filesize
172KB

Download
memory/4124-4-0x0000000000600000-0x000000000062B000-memory.dmp

Filesize
172KB

Download
memory/4124-18-0x0000000000600000-0x000000000062B000-memory.dmp

Filesize
172KB

Download
memory/4124-1-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download