urelas | 80a336845b1abc6b88bf47887b56344b8859a5a289fe3f037ea70e7b9e466280

Analysis

max time kernel
171s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cde09a0f2b6d648cc015d8daac07a440.exe
Size

49KB
MD5

cde09a0f2b6d648cc015d8daac07a440
SHA1

72eeb73ffd274e997234b2a681536f1f76e88600
SHA256

80a336845b1abc6b88bf47887b56344b8859a5a289fe3f037ea70e7b9e466280
SHA512

f47472a77a014ac647a4ecd80f7c8e90b20f359371d529b4d51defbda05e3b435b442f15fa2800df1d5102a5a06b36f56e82a3ef67a50727da13bfc94a9bbfae
SSDEEP

1536:834/PC7Ruz3hRXRASULZ6JKYdbzcmhCZnt:It7R8fU6n8t

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	cde09a0f2b6d648cc015d8daac07a440.exe

Executes dropped EXE 1 IoCs

pid	Process
1776	mokdhft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1776	4344	cde09a0f2b6d648cc015d8daac07a440.exe	92
PID 4344 wrote to memory of 1776	4344	cde09a0f2b6d648cc015d8daac07a440.exe	92
PID 4344 wrote to memory of 1776	4344	cde09a0f2b6d648cc015d8daac07a440.exe	92
PID 4344 wrote to memory of 3684	4344	cde09a0f2b6d648cc015d8daac07a440.exe	94
PID 4344 wrote to memory of 3684	4344	cde09a0f2b6d648cc015d8daac07a440.exe	94
PID 4344 wrote to memory of 3684	4344	cde09a0f2b6d648cc015d8daac07a440.exe	94

C:\Users\Admin\AppData\Local\Temp\cde09a0f2b6d648cc015d8daac07a440.exe
"C:\Users\Admin\AppData\Local\Temp\cde09a0f2b6d648cc015d8daac07a440.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
  "C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
49KB

MD5
0f945c4779616bacc88b06472a2643a4

SHA1
9ecf83a21b21d4e6b07ad979fa420a204e994b2f

SHA256
89071261e89ae212e233f4bf9e229e7cd9c9a2abd642daf8fe951039127da366

SHA512
afcc257edbc8415902a636ac72fdd5be80af007f0ab832b3446ac8e58764c1c3eab1c803a0e358458529d4b25e72aa29e23f15fd04e1d435b013717d03ded4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
5cd2e6ce28567c670df35bc387afeba5

SHA1
b0e294672613abe281fb3a62472d81fb355fb4d8

SHA256
7f4e711b2d28d13e284e2aa4aa2ebc2e21869b3bc5b46387936e6c8422ca1977

SHA512
f5e5982d1abf53c0bd67c497abcc41b8816dad4b21747de3e18ae40da520a83250b6057a6273d5008665fe16411761f4d628d9d0fb69756f9ed8da486f48dc71

Download Submit
memory/1776-12-0x0000000000210000-0x0000000000243000-memory.dmp

Filesize
204KB

Download
memory/1776-17-0x0000000000210000-0x0000000000243000-memory.dmp

Filesize
204KB

Download
memory/1776-19-0x0000000000210000-0x0000000000243000-memory.dmp

Filesize
204KB

Download
memory/1776-25-0x0000000000210000-0x0000000000243000-memory.dmp

Filesize
204KB

Download
memory/4344-0-0x0000000000A40000-0x0000000000A73000-memory.dmp

Filesize
204KB

Download
memory/4344-14-0x0000000000A40000-0x0000000000A73000-memory.dmp

Filesize
204KB

Download