urelas | 94181c81dadb20f8c08e403539ac887ce483115f2df8d3817feab2b204b6714d

Analysis

max time kernel
165s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5abe6d760deb88c44b47dbf866e16120.exe
Size

466KB
MD5

5abe6d760deb88c44b47dbf866e16120
SHA1

0af4527d0fe047cee6dd432d4a267631c1cee103
SHA256

94181c81dadb20f8c08e403539ac887ce483115f2df8d3817feab2b204b6714d
SHA512

c19443c2eba178afb656f088f5f0ab37fafd686642ec74d6f9d09bbd3aa0027b8b199e50f9b6aa90a5de4f0b593e75f54cd42b1783f882e8122ef3bf87e90725
SSDEEP

12288:j3CtSokfFGUMKwlTIU/b37dJ75WEe+eKTxB6m8:jx9GzHlTv/b35tecFB6p

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.5abe6d760deb88c44b47dbf866e16120.exe

Executes dropped EXE 1 IoCs

pid	Process
4048	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4048	1528	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	98
PID 1528 wrote to memory of 4048	1528	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	98
PID 1528 wrote to memory of 4048	1528	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	98
PID 1528 wrote to memory of 4760	1528	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	99
PID 1528 wrote to memory of 4760	1528	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	99
PID 1528 wrote to memory of 4760	1528	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.5abe6d760deb88c44b47dbf866e16120.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5abe6d760deb88c44b47dbf866e16120.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
8ed9fd05d078b87e45fcc0875548650b

SHA1
27557db6ea2413136363b272601506511db133bc

SHA256
12fdfbde565264047154d1e3fe4de9b81f8d9b720dbaa69dd5b3cea957a17d79

SHA512
098d20a40fb2a24db55bb4b9459d99fdb0a91a8fc136eb0c52d337b42838fc49ddde1330746f5e962affe818499142f6d6fbad5c57ca628afec22dd33cd9cd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145cec05d8d704ff7aa3d812b1aff628

SHA1
097ae09965ed3804359803708b8af87b5b90fcbb

SHA256
66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea

SHA512
1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
466KB

MD5
c8f1e5836542d7b0f37549d96ccca985

SHA1
90924b677fcf22fe9bb51b19aae05a71f6e49cca

SHA256
a100a9c1586e2a4255e6f34c2d53c302f7de940f1a528943f1717136a30c1c47

SHA512
d97cc3fc0286ec7b19c81144fc70cf8eadcade79aa60663311d9ab824eeaa8f2eec6a080ecaf2694b76604e3a4dc6fd962e3022de3a9f5ee372c081f110f31d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
466KB

MD5
c8f1e5836542d7b0f37549d96ccca985

SHA1
90924b677fcf22fe9bb51b19aae05a71f6e49cca

SHA256
a100a9c1586e2a4255e6f34c2d53c302f7de940f1a528943f1717136a30c1c47

SHA512
d97cc3fc0286ec7b19c81144fc70cf8eadcade79aa60663311d9ab824eeaa8f2eec6a080ecaf2694b76604e3a4dc6fd962e3022de3a9f5ee372c081f110f31d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
466KB

MD5
c8f1e5836542d7b0f37549d96ccca985

SHA1
90924b677fcf22fe9bb51b19aae05a71f6e49cca

SHA256
a100a9c1586e2a4255e6f34c2d53c302f7de940f1a528943f1717136a30c1c47

SHA512
d97cc3fc0286ec7b19c81144fc70cf8eadcade79aa60663311d9ab824eeaa8f2eec6a080ecaf2694b76604e3a4dc6fd962e3022de3a9f5ee372c081f110f31d7

Download Submit
memory/1528-0-0x0000000000DF0000-0x0000000000E72000-memory.dmp

Filesize
520KB

Download
memory/1528-1-0x0000000000DF0000-0x0000000000E72000-memory.dmp

Filesize
520KB

Download
memory/1528-16-0x0000000000DF0000-0x0000000000E72000-memory.dmp

Filesize
520KB

Download
memory/4048-11-0x0000000000320000-0x00000000003A2000-memory.dmp

Filesize
520KB

Download
memory/4048-18-0x0000000000320000-0x00000000003A2000-memory.dmp

Filesize
520KB

Download
memory/4048-19-0x0000000000320000-0x00000000003A2000-memory.dmp

Filesize
520KB

Download