urelas | 43a6dbabf9d91478c9763b315004b2066d4f8dd539c223a0813cbba409253c96

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97aab0a912875f65ae91d3d67e5b4541.exe
Size

441KB
MD5

97aab0a912875f65ae91d3d67e5b4541
SHA1

dff953da77d139e9f7ecd6292d548d1df0cf46cf
SHA256

43a6dbabf9d91478c9763b315004b2066d4f8dd539c223a0813cbba409253c96
SHA512

23c9033497f6337811e878f24b43a64f6e3065699d60d31b803b93796988ec186ecfe69c699b11da5322efe0e4f8da7cd5c4c198009db8149315f63f47e40714
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMRJ2:rKf1PyKa2H3hOHOHz9JQ6zBGI

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	getid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	97aab0a912875f65ae91d3d67e5b4541.exe

Executes dropped EXE 2 IoCs

pid	Process
5060	getid.exe
764	nunet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe
764	nunet.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 5060	1684	97aab0a912875f65ae91d3d67e5b4541.exe	92
PID 1684 wrote to memory of 5060	1684	97aab0a912875f65ae91d3d67e5b4541.exe	92
PID 1684 wrote to memory of 5060	1684	97aab0a912875f65ae91d3d67e5b4541.exe	92
PID 1684 wrote to memory of 4408	1684	97aab0a912875f65ae91d3d67e5b4541.exe	93
PID 1684 wrote to memory of 4408	1684	97aab0a912875f65ae91d3d67e5b4541.exe	93
PID 1684 wrote to memory of 4408	1684	97aab0a912875f65ae91d3d67e5b4541.exe	93
PID 5060 wrote to memory of 764	5060	getid.exe	101
PID 5060 wrote to memory of 764	5060	getid.exe	101
PID 5060 wrote to memory of 764	5060	getid.exe	101

C:\Users\Admin\AppData\Local\Temp\97aab0a912875f65ae91d3d67e5b4541.exe
"C:\Users\Admin\AppData\Local\Temp\97aab0a912875f65ae91d3d67e5b4541.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\getid.exe
  "C:\Users\Admin\AppData\Local\Temp\getid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\nunet.exe
    "C:\Users\Admin\AppData\Local\Temp\nunet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
c162196d272eab5db2945ec942a7b4e2

SHA1
16d11ddc66f802728d038737c937b76012f80399

SHA256
a82f0f80b474198dc2df109cf253f3c7fa5d2c3048897eb80a5acf56629058fc

SHA512
fb2edfed35fe95cadc67e60348c70ff569d02b7822a22deb44b71016d3891a3b0530976ad963958a1ffb52e3e46ff13aa43b114ce10df28475106e4601e8df64

Download Submit
C:\Users\Admin\AppData\Local\Temp\getid.exe

Filesize
441KB

MD5
f2399c389b48da1b27a4ebc0b64efb85

SHA1
449dbfb43b8fb78b154bcb9394ca490ffcf9b925

SHA256
075de5275288b46a78b3cda2d3fa8760fb5b55e0912e8db2bba05da2beda89cb

SHA512
86c229832963fb0507b36bdc70cfee21fd73eaaccd94d771376a1014efe3c3295978868be8e676f9b8786000835fcb15c49bb091bd627609b1fb286661f77e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1cdf9dc1d4e09e05a3019dde9713a5e3

SHA1
a418aaa1f269bfb5b7297c2e10b87ee570381f6d

SHA256
0f16c6e463aa32eaabf40c660686de5a99f7a41326521eb0dfad70ecbcb2a15c

SHA512
76139aa67a53e151076f7328e5e5e12ad3cb2e3cbec4ac0cd675bb20d1fefbf12fc5c14185bdc50fa4808a61be4addaa14747b5aec27df0a279b9e335b75c40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nunet.exe

Filesize
230KB

MD5
f74c096252b178fe7764d08850e32f72

SHA1
434c0f7ae2110977d850fc15c5fd03439765e51b

SHA256
4407dbfb5620e8ea7ee209c5202cfdd1e22ae724eb4f97eabf0b85e13c3b7d70

SHA512
7f5acfa5223f084a28ad5b4dd001c304632df35ae5ae861c2e078af2d5c0d0bf4c616439dba66e477d98028ede2b97acdc29a1dca45be436c75831884e7e34fc

Download Submit
memory/764-33-0x0000000000FD0000-0x000000000106E000-memory.dmp

Filesize
632KB

Download
memory/764-25-0x0000000000FD0000-0x000000000106E000-memory.dmp

Filesize
632KB

Download
memory/764-27-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/764-32-0x0000000000FD0000-0x000000000106E000-memory.dmp

Filesize
632KB

Download
memory/764-29-0x0000000000FD0000-0x000000000106E000-memory.dmp

Filesize
632KB

Download
memory/764-30-0x0000000000FD0000-0x000000000106E000-memory.dmp

Filesize
632KB

Download
memory/764-31-0x0000000000FD0000-0x000000000106E000-memory.dmp

Filesize
632KB

Download
memory/1684-0-0x0000000000AB0000-0x0000000000B1E000-memory.dmp

Filesize
440KB

Download
memory/1684-14-0x0000000000AB0000-0x0000000000B1E000-memory.dmp

Filesize
440KB

Download
memory/5060-12-0x0000000000680000-0x00000000006EE000-memory.dmp

Filesize
440KB

Download
memory/5060-26-0x0000000000680000-0x00000000006EE000-memory.dmp

Filesize
440KB

Download