urelas | b7f9d23a79a3584615b96aad5335707ca944ac2306c1c9d5558abd91bcb9d1ec

Analysis

max time kernel
171s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4790440ba0e67149cff353930fb72ac7.exe
Size

535KB
MD5

4790440ba0e67149cff353930fb72ac7
SHA1

8124005da70ff24dbc969f0b85b81ee741727676
SHA256

b7f9d23a79a3584615b96aad5335707ca944ac2306c1c9d5558abd91bcb9d1ec
SHA512

1a4672d90139b23328714192e5522fde6d4f5cc89d8671200112f7266889ca625637412de77007d0ba5779f0e08d6a4f2e97e294ef88d9b1b448f164bdfb2af1
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP6:q0P/k4lb2wKat6

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4790440ba0e67149cff353930fb72ac7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ycwyu.exe

Executes dropped EXE 2 IoCs

pid	Process
4972	ycwyu.exe
5080	gusei.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe
5080	gusei.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4972	4764	4790440ba0e67149cff353930fb72ac7.exe	97
PID 4764 wrote to memory of 4972	4764	4790440ba0e67149cff353930fb72ac7.exe	97
PID 4764 wrote to memory of 4972	4764	4790440ba0e67149cff353930fb72ac7.exe	97
PID 4764 wrote to memory of 2492	4764	4790440ba0e67149cff353930fb72ac7.exe	98
PID 4764 wrote to memory of 2492	4764	4790440ba0e67149cff353930fb72ac7.exe	98
PID 4764 wrote to memory of 2492	4764	4790440ba0e67149cff353930fb72ac7.exe	98
PID 4972 wrote to memory of 5080	4972	ycwyu.exe	112
PID 4972 wrote to memory of 5080	4972	ycwyu.exe	112
PID 4972 wrote to memory of 5080	4972	ycwyu.exe	112

C:\Users\Admin\AppData\Local\Temp\4790440ba0e67149cff353930fb72ac7.exe
"C:\Users\Admin\AppData\Local\Temp\4790440ba0e67149cff353930fb72ac7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\ycwyu.exe
  "C:\Users\Admin\AppData\Local\Temp\ycwyu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\gusei.exe
    "C:\Users\Admin\AppData\Local\Temp\gusei.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
2de8bd8ef928282f9b1cfbf93a083273

SHA1
cc4b509f7325757f98d1ac05ba184f73af1b3703

SHA256
6cb160ca622a405c4ffe48c0dd543e6d09e876b4698f826c144303d7baee76ad

SHA512
af56ec60fb64dec494c870be4c9e0ffa522fea4c67f95b182a98dc70e323b313515c6fbf03d0b515b9e9bc2e6b058673086371f8d5d6a6fee946f3263f34c2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
170ddf27c331502c9eb0e78d0a9346a1

SHA1
e8959c6eea7fee63b6d5050d1c2d241e7584f288

SHA256
ef609cfef324afd04cec94fb1f5952e377bdca1238b6381ee81eae147a067b83

SHA512
5496c57dd383b6fc1586c43d152cc94e2c8a06750f3c2a6dbfed2a78df5652a9eae231f742bc00220e91f1c21d0c61c1b3893a25208b1131b56cc44ac511446c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gusei.exe

Filesize
236KB

MD5
3ba9f0ff29f3251fa270cf49f1e1afcc

SHA1
0c7328c4c5d31b49dd84c4e8d79aedceaf174bee

SHA256
642704a3ae98abea80131e7ca4957217262ae8b72eb77927107a087aff032489

SHA512
a24af6a36ebcec4a86a06fc70fad796d5b89f14fb433f4bd546579415b058f3339a5d4b31b90e7f4f180771f125a724abb424facad7ff67ab03b7b7ddd40b7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwyu.exe

Filesize
535KB

MD5
a54973608254044bac925795ec9f626b

SHA1
2565fba05b6b4ff29b819974d1ec4edc89aebe48

SHA256
cf1715854a5b21bbd7325b1c5f4f34652b2d155fa1310d3d90cea4d4317b82a7

SHA512
7cdbfb3418140a7682503f32f8ce3b62cb02b85b46aba52484a35bcc7bac1d6e255cf43f04b5a7d390891a46464e60f5a99317f68a3d4174b6cfba1d991412d6

Download Submit
memory/4764-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4764-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4972-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5080-25-0x0000000000500000-0x00000000005A3000-memory.dmp

Filesize
652KB

Download
memory/5080-26-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download