urelas | 70202ad057751a030d58d4e19c7d6e28b3c655948f38f549d623ca13bb83d303

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 01:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.78724ec003ab9d19102892967900a950.exe
Size

140KB
MD5

78724ec003ab9d19102892967900a950
SHA1

d13330228e37b2e31295115dfd6a6f36ced76f65
SHA256

70202ad057751a030d58d4e19c7d6e28b3c655948f38f549d623ca13bb83d303
SHA512

08d26a510730a87e54f839647c23ed51f4c67dc13194654c8a2447e3e021c10303aec088e9254e619f169fed3587437bdef9086eafd629cd88a48f1fa4c202d6
SSDEEP

1536:2xo3t29IAhUANTAfLocwaIG0rByDDqG+UKLnuvUYY9TRWEhVnLaMjF04q0JEGhM0:J8VUcTAWG8HGCnuvqTAGdXqQ60

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.78724ec003ab9d19102892967900a950.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4392	4240	NEAS.78724ec003ab9d19102892967900a950.exe	91
PID 4240 wrote to memory of 4392	4240	NEAS.78724ec003ab9d19102892967900a950.exe	91
PID 4240 wrote to memory of 4392	4240	NEAS.78724ec003ab9d19102892967900a950.exe	91
PID 4240 wrote to memory of 3824	4240	NEAS.78724ec003ab9d19102892967900a950.exe	92
PID 4240 wrote to memory of 3824	4240	NEAS.78724ec003ab9d19102892967900a950.exe	92
PID 4240 wrote to memory of 3824	4240	NEAS.78724ec003ab9d19102892967900a950.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.78724ec003ab9d19102892967900a950.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.78724ec003ab9d19102892967900a950.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4bcd5760382115448ea19d304399421a

SHA1
53b99faea656d8aa4185ef0d70484bfff369aed5

SHA256
6d54d3892e4143673e11e1de502b13890c1d98ca592d0fc0445b1134150b5199

SHA512
cbeed374df083810bab5da9187caa989685310790fcc32f750c8ce21195345247beeefe333c2d4004138516f784d98000e42fde0eab2294c17100044cf7bca30

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
140KB

MD5
ac887c41aed7a8c56764ae3dc3a13049

SHA1
a332d9c5651845822c179fea21027d85da223ff0

SHA256
014d81bf9932cae5e7c930e5e292d22904f772c6065725a60586ae7cf842e76f

SHA512
be84cd105f509ef21284acac81a96679b9c620462b3ede97044a7eba7088143297649842ecf7104f3d16f072af585d3c1eda0e5abfb7b165181265bd58e4310c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
140KB

MD5
ac887c41aed7a8c56764ae3dc3a13049

SHA1
a332d9c5651845822c179fea21027d85da223ff0

SHA256
014d81bf9932cae5e7c930e5e292d22904f772c6065725a60586ae7cf842e76f

SHA512
be84cd105f509ef21284acac81a96679b9c620462b3ede97044a7eba7088143297649842ecf7104f3d16f072af585d3c1eda0e5abfb7b165181265bd58e4310c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
140KB

MD5
ac887c41aed7a8c56764ae3dc3a13049

SHA1
a332d9c5651845822c179fea21027d85da223ff0

SHA256
014d81bf9932cae5e7c930e5e292d22904f772c6065725a60586ae7cf842e76f

SHA512
be84cd105f509ef21284acac81a96679b9c620462b3ede97044a7eba7088143297649842ecf7104f3d16f072af585d3c1eda0e5abfb7b165181265bd58e4310c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
44e18a8715d2564a8099ce8ce6f67da7

SHA1
422fb53ccd7fc45ea70f01108c66a873b495ff62

SHA256
e1d79f3128770304bbae6f3173ee8e1933f6738ed0ef55bac3e007ddbaa4166a

SHA512
a5ed856c5ac2296828f04150c8ef914889bbffddbd7df78cf9c094c5a25f4776955da974eefc8b813bf74a1fb4ad515c91236e0f7ac3ce7d7e6a74c6be6d5849

Download Submit
memory/4240-0-0x0000000000BE0000-0x0000000000C2E000-memory.dmp

Filesize
312KB

Download
memory/4240-16-0x0000000000BE0000-0x0000000000C2E000-memory.dmp

Filesize
312KB

Download
memory/4240-1-0x0000000000BE0000-0x0000000000C2E000-memory.dmp

Filesize
312KB

Download
memory/4392-11-0x0000000000650000-0x000000000069E000-memory.dmp

Filesize
312KB

Download
memory/4392-14-0x0000000000650000-0x000000000069E000-memory.dmp

Filesize
312KB

Download
memory/4392-19-0x0000000000650000-0x000000000069E000-memory.dmp

Filesize
312KB

Download
memory/4392-21-0x0000000000650000-0x000000000069E000-memory.dmp

Filesize
312KB

Download
memory/4392-27-0x0000000000650000-0x000000000069E000-memory.dmp

Filesize
312KB

Download