urelas | f6fa648ddfbb82204eea3c91882ea8daeef16273814954fd0df863bc79ff643f

Analysis

max time kernel
144s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8babe6101d1521de02ba298a97568e37.exe
Size

466KB
MD5

8babe6101d1521de02ba298a97568e37
SHA1

c850af801d79cace908b20e3008febe5ea8b14a6
SHA256

f6fa648ddfbb82204eea3c91882ea8daeef16273814954fd0df863bc79ff643f
SHA512

295b9994606838abb0fa9f4cd40c139fd796efd66f9034e9adcfba0f24c8245ea08435e78baccd17f7b8937051f2c09ccc0ca123b277aad34ad89c7b1ca98ac7
SSDEEP

12288:93CtSokfFGUMKwlTIU/b37dJ75WEe+eKTxB6mP:9x9GzHlTv/b35tecFB6S

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	8babe6101d1521de02ba298a97568e37.exe

Executes dropped EXE 1 IoCs

pid	Process
2092	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2092	540	8babe6101d1521de02ba298a97568e37.exe	91
PID 540 wrote to memory of 2092	540	8babe6101d1521de02ba298a97568e37.exe	91
PID 540 wrote to memory of 2092	540	8babe6101d1521de02ba298a97568e37.exe	91
PID 540 wrote to memory of 4200	540	8babe6101d1521de02ba298a97568e37.exe	93
PID 540 wrote to memory of 4200	540	8babe6101d1521de02ba298a97568e37.exe	93
PID 540 wrote to memory of 4200	540	8babe6101d1521de02ba298a97568e37.exe	93

C:\Users\Admin\AppData\Local\Temp\8babe6101d1521de02ba298a97568e37.exe
"C:\Users\Admin\AppData\Local\Temp\8babe6101d1521de02ba298a97568e37.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
277B

MD5
66a5376dfa2747b33008bc7a14791e76

SHA1
a3ceeb63f267d266790a75b819e4ea55950a3b74

SHA256
41978a6eb291f34ac5e9ff51bf116d88001cfa6811302d80255d87635c537ed8

SHA512
f1dfa8ba758aabaf76f7d56c80f3da7b086c73f957a59ae904df6dcbf561514f57b2130718a85bbaee0bdc9cd66e5bbdcc4ea99eb8d3625b9068003fe38173d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145cec05d8d704ff7aa3d812b1aff628

SHA1
097ae09965ed3804359803708b8af87b5b90fcbb

SHA256
66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea

SHA512
1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
236KB

MD5
20f4623c77148b4505e761ac9acaa1ce

SHA1
9396bac8b9d796ce49d70b293e46b138c3880efb

SHA256
954db2a0926d0c183d7f15a00a1ba33d1b9a841fc05a28998758d81e69736c7f

SHA512
b8bc50da108c436d4b16e0412b52d452f8903e17d81c5f943e56b0beb714ce90a9124a080bd315d41f441d60222245a65dfeb6967b2cdd3f675a9299400febb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
194KB

MD5
142bd022f3b3e115a22bd60086332ee0

SHA1
17c8ed2bbe85485d72f73676ec4ed62654aaa629

SHA256
a5cdc5f7d6d96d4c8929b44cf2b3fc9c0df52185a3d5874feda4a765e7fc0492

SHA512
e371f9a5f9c573b99c82d87cf75a58a39588e4fe3f8f2f0f5857c827d2d25434a3b788439ce5a24232f1ed53b006faae9b71a7460fc207c97eeae3d4c67178dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
196KB

MD5
43bf444117096817aaf6cf882e0f8f1a

SHA1
f44237db2c8e8fae5238cf11e35dbd3cbe9478c5

SHA256
c1bb913ea1b09b38cbd99b63f2dbe53bb4225d29740e067e213374229cace57a

SHA512
4b3a5059396c6c2f39e5371086b01a5afe320c727d927a88c3ee39821c1581442a9bd4bb64b2ebfd40278f825910b8394e57aa55b8eade2926666c8a9a60f1d8

Download Submit
memory/540-0-0x0000000000220000-0x00000000002A2000-memory.dmp

Filesize
520KB

Download
memory/540-1-0x0000000000220000-0x00000000002A2000-memory.dmp

Filesize
520KB

Download
memory/540-16-0x0000000000220000-0x00000000002A2000-memory.dmp

Filesize
520KB

Download
memory/2092-14-0x0000000000C40000-0x0000000000CC2000-memory.dmp

Filesize
520KB

Download
memory/2092-19-0x0000000000C40000-0x0000000000CC2000-memory.dmp

Filesize
520KB

Download
memory/2092-20-0x0000000000C40000-0x0000000000CC2000-memory.dmp

Filesize
520KB

Download