urelas | 92faa5aaeef3e16afe8a8f6e41d7b33d0993674c0629e2011e35aa643aa941e8

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4202364da06c9f7e07177ce3d08e9124.exe
Size

536KB
MD5

4202364da06c9f7e07177ce3d08e9124
SHA1

653c2fc6d58dd404bd2f2b02dcb5d7e6514b3853
SHA256

92faa5aaeef3e16afe8a8f6e41d7b33d0993674c0629e2011e35aa643aa941e8
SHA512

1b5867253f2f0c4df6f7242a4c971ef5c0b590cfb59a68071e1cdd7ba2bb726f7ed2d32f672467398fd5f39b61b2278040d9ec9cd43ec2a497866c0127fee1fb
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPM:q0P/k4lb2wKatM

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	4202364da06c9f7e07177ce3d08e9124.exe

Executes dropped EXE 1 IoCs

pid	Process
1468	jywyd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1468	3672	4202364da06c9f7e07177ce3d08e9124.exe	78
PID 3672 wrote to memory of 1468	3672	4202364da06c9f7e07177ce3d08e9124.exe	78
PID 3672 wrote to memory of 1468	3672	4202364da06c9f7e07177ce3d08e9124.exe	78
PID 3672 wrote to memory of 2304	3672	4202364da06c9f7e07177ce3d08e9124.exe	77
PID 3672 wrote to memory of 2304	3672	4202364da06c9f7e07177ce3d08e9124.exe	77
PID 3672 wrote to memory of 2304	3672	4202364da06c9f7e07177ce3d08e9124.exe	77

C:\Users\Admin\AppData\Local\Temp\4202364da06c9f7e07177ce3d08e9124.exe
"C:\Users\Admin\AppData\Local\Temp\4202364da06c9f7e07177ce3d08e9124.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\jywyd.exe
  "C:\Users\Admin\AppData\Local\Temp\jywyd.exe"
  2⤵
  - Executes dropped EXE
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\nycai.exe
    "C:\Users\Admin\AppData\Local\Temp\nycai.exe"
    3⤵
    PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
ac6171de4d6bd6f99ab4476752054e16

SHA1
04bd0acc8e08cf2d20fd67e3ad54e37fa6886f54

SHA256
13ced25e841f0da703fcbbfdd71b30ff15c3372f4b58076a44189e7113294c94

SHA512
db7ada78004bf35e3b631337036e1fe8c1ee2db4f6000d7a195fbb8ce61696386e8870311b162003f5b87e40512d98c65d70cabe8fbec5cb25a605fcb5bdecc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
071623f7fd46bc5ecad4b26b7b24b162

SHA1
8ad9177b9b13945e695eb7322f83d029a596f23e

SHA256
4ae96a47e8f6a5e13f6cf52bbc398c596ae7b16703d10ae202c7ce174f7d1fb9

SHA512
495d4dfcd9f8ebd32583890b551d2f4accbdcd72f9a531a85c668f54aaba24acd2dd85fb301ba35d810d372804efef141c73c4f4a1fd6b2dcf35ce817aa1a0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jywyd.exe

Filesize
536KB

MD5
40544329465eb1810cc12446f3dda730

SHA1
b450b77c0e294e19573af9daf328a0840366b370

SHA256
a7110a255d2d33d2dbd31155849f93f305c9dd5a99bc9594e0728abbdba075f4

SHA512
c1559c7090efdbbd63a9722a7990376cb534401d9b2aa0227b9827695e338a8585dc57d59b566741342420e801cb7aaf15e75b5fe41d1a50860fbd3f11a9a168

Download Submit
C:\Users\Admin\AppData\Local\Temp\nycai.exe

Filesize
236KB

MD5
1d3b222a25b9f71007271abde338f9c9

SHA1
e8f19ae294b5c5d4c3a0330055d506ee5e32303f

SHA256
f380a0fa2c6ed4e2e40c626b3632568dfd31cc0aaae3f4cf46fdf2e34c609892

SHA512
95d04b2f5ec6146c267caae734a4711745e45933c74089a87195cda4a7e42ca9cd9243cefecd97b75c78a4c88617389b104ab9357a4504928adae9ce7dd8452d

Download Submit
memory/1468-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1468-25-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3672-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3672-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4300-26-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/4300-27-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4300-29-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/4300-30-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/4300-31-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/4300-32-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download
memory/4300-33-0x00000000005A0000-0x0000000000643000-memory.dmp

Filesize
652KB

Download