urelas | ab606707a0af318a5c6de74150537db93d2c0f35b5a29c54a88ae4d34dbd2c35

Analysis

max time kernel
126s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6240cda4202c834e1011a6f64d524990.exe
Size

404KB
MD5

6240cda4202c834e1011a6f64d524990
SHA1

2729d163ae56f2beeff217e4f818c3192d339094
SHA256

ab606707a0af318a5c6de74150537db93d2c0f35b5a29c54a88ae4d34dbd2c35
SHA512

fd968d3a78601a774fa54c2bdb0014417e58becf4a86f563780682d2fd463e31222f8014b25404b4b0f44af206d6db89d863109473163af6600aa062e6a1d2c7
SSDEEP

6144:UzU7blKDlTiCWhWapKRaRXOkN4Swel6f3IuOI:uU7M1ijWh0XOW4sEfHOI

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.6240cda4202c834e1011a6f64d524990.exe

Executes dropped EXE 1 IoCs

pid	Process
936	onjit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4464	724	WerFault.exe	85
316	724	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 936	724	NEAS.6240cda4202c834e1011a6f64d524990.exe	92
PID 724 wrote to memory of 936	724	NEAS.6240cda4202c834e1011a6f64d524990.exe	92
PID 724 wrote to memory of 936	724	NEAS.6240cda4202c834e1011a6f64d524990.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.6240cda4202c834e1011a6f64d524990.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6240cda4202c834e1011a6f64d524990.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\AppData\Local\Temp\onjit.exe
  "C:\Users\Admin\AppData\Local\Temp\onjit.exe"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1188
  2⤵
  - Program crash
  PID:4464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1172
  2⤵
  - Program crash
  PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 724 -ip 724
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 724 -ip 724
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e3ad17f26ac3f6bea8a87738a2aa900a

SHA1
77afbdca7739250faab94214edee80a78bd87b1e

SHA256
74d29c7805e0a426818a136feb0ed3a72a5ab8990f5f235753ccf77d114b13de

SHA512
2a309da08bc6e78008882ec9445f13fb74dae93bf1951a963b7ed5ebe159b720504fcebac9c5bf7a5966c1cc1f822228b81cc337de7bff984f444ab413b3328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onjit.exe

Filesize
404KB

MD5
b922ed7d5dacbf190ea81fb07dc30537

SHA1
f77aefbb2f35097ed2b4f08ce1b86b8dff7df29e

SHA256
2141d8baf2e7696351f707fbb5b229c69d48ed2795a09b5076e3226f7410b229

SHA512
ebadab54c9c3ca1cad89b005570375016bf8895c6c51bb0dc4623c2c4ea2375bad782a4fe31665089aa0a7c5d3ebcad39cc81e290c93a1ef621b8a30d3ae375d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onjit.exe

Filesize
404KB

MD5
b922ed7d5dacbf190ea81fb07dc30537

SHA1
f77aefbb2f35097ed2b4f08ce1b86b8dff7df29e

SHA256
2141d8baf2e7696351f707fbb5b229c69d48ed2795a09b5076e3226f7410b229

SHA512
ebadab54c9c3ca1cad89b005570375016bf8895c6c51bb0dc4623c2c4ea2375bad782a4fe31665089aa0a7c5d3ebcad39cc81e290c93a1ef621b8a30d3ae375d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onjit.exe

Filesize
404KB

MD5
b922ed7d5dacbf190ea81fb07dc30537

SHA1
f77aefbb2f35097ed2b4f08ce1b86b8dff7df29e

SHA256
2141d8baf2e7696351f707fbb5b229c69d48ed2795a09b5076e3226f7410b229

SHA512
ebadab54c9c3ca1cad89b005570375016bf8895c6c51bb0dc4623c2c4ea2375bad782a4fe31665089aa0a7c5d3ebcad39cc81e290c93a1ef621b8a30d3ae375d

Download Submit
memory/724-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/724-10-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/936-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download