urelas | 2014ed28492f959fd0dd8e61a4b418ba6273c6748b7c5b2a333315f7ff86923e

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe
Size

124KB
MD5

cc8071267a830c96c9b12ba6eca48ba0
SHA1

4e9f68d45803ddef0a87afbe04603535259c4b3e
SHA256

2014ed28492f959fd0dd8e61a4b418ba6273c6748b7c5b2a333315f7ff86923e
SHA512

4803d28d18c0a7ec9bcd78e606c9d39b53aefe21b52e9562599b33b513633672531a0d3d9b561c057b1b37647c6554b50f126dd4a7bcb4e071677ebc8406caba
SSDEEP

1536:3C+ltNKIxyDjxxNA6vOOZsBLD/qMJEAhHmRYHE7mqfm0ym:3C+ltUIs9pO9/jj8YKmg

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
892	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 892	4260	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	89
PID 4260 wrote to memory of 892	4260	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	89
PID 4260 wrote to memory of 892	4260	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	89
PID 4260 wrote to memory of 4980	4260	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	90
PID 4260 wrote to memory of 4980	4260	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	90
PID 4260 wrote to memory of 4980	4260	NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cc8071267a830c96c9b12ba6eca48ba0_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6c7b9d5d0c8c895b27e9c92196ff145c

SHA1
5df3e0a05d84df13876a50c8607f6f86bf588380

SHA256
1246443d1394e56a60994bcc80a29239ffa86467f5fcfb4a962a50736b865dce

SHA512
64899b68c5812765762d076699fc007df0c4397a24999c3ad8cb3d7556737696b383b039c89b41099ee63249e7d76acbcf1fd84311de5abc98008b05fd176424

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
124KB

MD5
6d61db36770a74bd81a093c9fe68bab4

SHA1
02015312fec61f51340c64f1cbedb4c619166ac5

SHA256
4bb40514b0595b232c0de998b3ff0fa2cc793604e9bf055cdb103808396cb2bc

SHA512
a89144801427866089d246c995a93a32cbc2a9c3e4fd575ae50dac3b772936565b9afc8df2296cf9bba820719c30365b09e54086fd0c7f9f915620f23d9b8781

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
124KB

MD5
6d61db36770a74bd81a093c9fe68bab4

SHA1
02015312fec61f51340c64f1cbedb4c619166ac5

SHA256
4bb40514b0595b232c0de998b3ff0fa2cc793604e9bf055cdb103808396cb2bc

SHA512
a89144801427866089d246c995a93a32cbc2a9c3e4fd575ae50dac3b772936565b9afc8df2296cf9bba820719c30365b09e54086fd0c7f9f915620f23d9b8781

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
124KB

MD5
6d61db36770a74bd81a093c9fe68bab4

SHA1
02015312fec61f51340c64f1cbedb4c619166ac5

SHA256
4bb40514b0595b232c0de998b3ff0fa2cc793604e9bf055cdb103808396cb2bc

SHA512
a89144801427866089d246c995a93a32cbc2a9c3e4fd575ae50dac3b772936565b9afc8df2296cf9bba820719c30365b09e54086fd0c7f9f915620f23d9b8781

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
699804403efdf1f7bd04d0099ba2d1d7

SHA1
8084e71ee200516edd30b0e716159dfa9ed413fa

SHA256
15ad2bce29a7df01ee0e6cc629167ed69a770503246e0bbac1c0427d8745e7b8

SHA512
e3d2aa4538d3505dc8d573428f8b1698d1058e240ee5d4778270c32d285ba51367580279979cf15e72d8253f12affdb2f38186dc52abac4da6979b880909e457

Download Submit
memory/892-13-0x0000000000B40000-0x0000000000B8D000-memory.dmp

Filesize
308KB

Download
memory/892-19-0x0000000000B40000-0x0000000000B8D000-memory.dmp

Filesize
308KB

Download
memory/892-22-0x0000000000B40000-0x0000000000B8D000-memory.dmp

Filesize
308KB

Download
memory/892-28-0x0000000000B40000-0x0000000000B8D000-memory.dmp

Filesize
308KB

Download
memory/4260-4-0x0000000000650000-0x000000000069D000-memory.dmp

Filesize
308KB

Download
memory/4260-0-0x0000000000650000-0x000000000069D000-memory.dmp

Filesize
308KB

Download
memory/4260-16-0x0000000000650000-0x000000000069D000-memory.dmp

Filesize
308KB

Download
memory/4260-1-0x0000000000650000-0x000000000069D000-memory.dmp

Filesize
308KB

Download