urelas | 4644517d2806702549b846419b6535fe1f921619f9d1beed5227b46417e97880

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c7b51fc42a4cb6f04c7bcad06152d3a.exe
Size

536KB
MD5

1c7b51fc42a4cb6f04c7bcad06152d3a
SHA1

087011b2bdbe8ad0a2486fbb5c0f6817259dc785
SHA256

4644517d2806702549b846419b6535fe1f921619f9d1beed5227b46417e97880
SHA512

54ae9f8dbb6f3d5da6c88edbec1f3608160a6c6ddcba30f55a106d2c59be0f8751f5297bbcaa5e24794ef2e24e4aa593154967838767815cbdf67850d359af45
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPd:q0P/k4lb2wKatd

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	1c7b51fc42a4cb6f04c7bcad06152d3a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	zoweu.exe

Executes dropped EXE 2 IoCs

pid	Process
3048	zoweu.exe
3972	nohao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe
3972	nohao.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3048	2376	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	91
PID 2376 wrote to memory of 3048	2376	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	91
PID 2376 wrote to memory of 3048	2376	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	91
PID 2376 wrote to memory of 4896	2376	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	92
PID 2376 wrote to memory of 4896	2376	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	92
PID 2376 wrote to memory of 4896	2376	1c7b51fc42a4cb6f04c7bcad06152d3a.exe	92
PID 3048 wrote to memory of 3972	3048	zoweu.exe	108
PID 3048 wrote to memory of 3972	3048	zoweu.exe	108
PID 3048 wrote to memory of 3972	3048	zoweu.exe	108

C:\Users\Admin\AppData\Local\Temp\1c7b51fc42a4cb6f04c7bcad06152d3a.exe
"C:\Users\Admin\AppData\Local\Temp\1c7b51fc42a4cb6f04c7bcad06152d3a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\zoweu.exe
  "C:\Users\Admin\AppData\Local\Temp\zoweu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\nohao.exe
    "C:\Users\Admin\AppData\Local\Temp\nohao.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
be61fc447437aa4134c851bdb3fee6b1

SHA1
6b825d287562aa5c5b469f95335d90bb876efdaf

SHA256
346b80e2400a436a53466bea29af678ee0cf5181d7f3b3d9dc5e6ca83db25008

SHA512
4ba0834b05968e8f71869585c17f8e50a99b1a85defe7b56411ff0bd7af745210884d8d47e24a661754072d5ff134d35717a2a7c92f3d13f2cd130e030143d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6347295e6ebf3b4f1c398c07e38a9249

SHA1
d54de15cb7aee4b3c3a8f26d9e6b5656a07e2332

SHA256
efb7e9f8bb9613384657ebe22964b874a4bcce3e499eec628433d595ce5baf64

SHA512
ff6d92a7e920c42813cfb58e974844470d80385a689899558a02b04fe4b1c14d106b6b0be0457b67e5bcc255e4be2a7c0a963ad2b7ffbbdc84e5ea912bdf76de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nohao.exe

Filesize
236KB

MD5
d8269210115cfae997b0158a175d9b23

SHA1
1264c7ececc8417fd161526dbdc76d3b48322953

SHA256
3254e31dc379424292dc7cccb4bd798725a2840a67a453d1906b1d2b0367bed7

SHA512
851c6836a447ae4b9ed7961b3a53870e538e234396d5c1193a4460359482886c7cd82c2947ebd9e41dd92ae8c3b29030258340f322b5fe2fd13b122e93416db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoweu.exe

Filesize
536KB

MD5
dcc09284a37edf435461561925c7271a

SHA1
5f911b5915664d68cf55cd907c9e77eb158d8dbc

SHA256
cfb3661d8ff6123688c490c0a72ed4ffb32088f33868937329d03b6055edd811

SHA512
ccfbd40516123c01601de198651fe82977749b9f0831153d7904f6b239dae3925dae210a79296309add2d6d2224109142a506e026e70328366bfab2ed1e98105

Download Submit
memory/2376-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2376-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3048-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3048-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3972-25-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/3972-27-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3972-29-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/3972-30-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/3972-31-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/3972-32-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/3972-33-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download