urelas | c2ad07f6409b5d13c7223617a26bfa38260d3e56da5c9058fe4ef4f095cb006c

Analysis

max time kernel
148s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 10:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe
Size

56KB
MD5

3f98df67db67c2ad72bba1fdea39aab0
SHA1

2386e0d16025ccd3f87f567ac5725cb69115b62d
SHA256

c2ad07f6409b5d13c7223617a26bfa38260d3e56da5c9058fe4ef4f095cb006c
SHA512

3544672244a92b2e2ffe60791d4a3de3d143146464d803e29a6916bbe0662fc137ab7cd22dc15bc914ed8a8b80114480c494df13aebc7b569f3abd278d6fc870
SSDEEP

1536:ZjMcyJNDLl7bSHliJQmpoDX+wtS1syxMPa/:ZjwfvQlEhpoT3YVWPq

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	dofhir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1700	3024	NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe	91
PID 3024 wrote to memory of 1700	3024	NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe	91
PID 3024 wrote to memory of 1700	3024	NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe	91
PID 3024 wrote to memory of 2420	3024	NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe	92
PID 3024 wrote to memory of 2420	3024	NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe	92
PID 3024 wrote to memory of 2420	3024	NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3f98df67db67c2ad72bba1fdea39aab0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\dofhir.exe
  "C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
56KB

MD5
57a98019f0c7d83530f8009433d827bd

SHA1
fca5896a8616700ab5a9af4aefbd1dabff09eb68

SHA256
6bac4924ca679d4c32eb8978f4ab83d8663944607a382dc6c61da8f76460eca0

SHA512
fe733f351be8c6f958b5eb9c314be2dd44c40f19a697ad066899994ac0477fa173eea7fca195f4ee6f513b2fba4e3cacbc6db591fa80834f58413dc75a65affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
56KB

MD5
57a98019f0c7d83530f8009433d827bd

SHA1
fca5896a8616700ab5a9af4aefbd1dabff09eb68

SHA256
6bac4924ca679d4c32eb8978f4ab83d8663944607a382dc6c61da8f76460eca0

SHA512
fe733f351be8c6f958b5eb9c314be2dd44c40f19a697ad066899994ac0477fa173eea7fca195f4ee6f513b2fba4e3cacbc6db591fa80834f58413dc75a65affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dofhir.exe

Filesize
56KB

MD5
57a98019f0c7d83530f8009433d827bd

SHA1
fca5896a8616700ab5a9af4aefbd1dabff09eb68

SHA256
6bac4924ca679d4c32eb8978f4ab83d8663944607a382dc6c61da8f76460eca0

SHA512
fe733f351be8c6f958b5eb9c314be2dd44c40f19a697ad066899994ac0477fa173eea7fca195f4ee6f513b2fba4e3cacbc6db591fa80834f58413dc75a65affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1bda36d555a6a668c71a805d0fef7b43

SHA1
63ef5ec40ea61e0803c5f988c5f5b1fe5834eeab

SHA256
91fc9a1836c535aa1bfa3288c635d24a44b76f9837702d0540fa8c1b97551a4c

SHA512
5b01bfe55ff24db66250d5555b29fae4c24d988827b47301fc319dafcabd33ab2944789395c35a002919ebcf042da989d8cfa95349c3f7344d58b20b31b23ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
130b1b3cb17adc7f3dc7d4cac416a71e

SHA1
653621e8cbdb699ef07438cebfeff69370347f33

SHA256
a2ddcc947c1280991849d54dfea589048a98b260215fc7a766d4dddcb51e622b

SHA512
91ecb4784901e8ee92888081877eaa6fe773c886eb0fcb2f3844615f0989c1739ef4831b12148d63fadc1e12fffdd3f4e47dc069c71a8cf7d8f621df1eea1484

Download Submit
memory/1700-11-0x00000000004F0000-0x0000000000519000-memory.dmp

Filesize
164KB

Download
memory/1700-18-0x00000000004F0000-0x0000000000519000-memory.dmp

Filesize
164KB

Download
memory/1700-20-0x00000000004F0000-0x0000000000519000-memory.dmp

Filesize
164KB

Download
memory/1700-26-0x00000000004F0000-0x0000000000519000-memory.dmp

Filesize
164KB

Download
memory/3024-0-0x0000000000FD0000-0x0000000000FF9000-memory.dmp

Filesize
164KB

Download
memory/3024-3-0x0000000000FD0000-0x0000000000FF9000-memory.dmp

Filesize
164KB

Download
memory/3024-15-0x0000000000FD0000-0x0000000000FF9000-memory.dmp

Filesize
164KB

Download