urelas | b95c2525526c87406c37e1d7da88fa310c97d43148236bbbe33615f3af83304b

Analysis

max time kernel
93s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44179d4fea5660f9f44da283cfc3f0ff.exe
Size

440KB
MD5

44179d4fea5660f9f44da283cfc3f0ff
SHA1

6aee3a3ee10a839590c280b453c0df227f2037bf
SHA256

b95c2525526c87406c37e1d7da88fa310c97d43148236bbbe33615f3af83304b
SHA512

401ccd39e567556e2469fd90fb7fdee865d2404e3f2b101915bacd647db507fc221c586af1c68826a4a047b379b42fb44ae53fffc847873c0bf85b45b4c2e536
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMA:rKf1PyKa2H3hOHOHz9JQ6zBb

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	44179d4fea5660f9f44da283cfc3f0ff.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	cefui.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2700	1752	44179d4fea5660f9f44da283cfc3f0ff.exe	95
PID 1752 wrote to memory of 2700	1752	44179d4fea5660f9f44da283cfc3f0ff.exe	95
PID 1752 wrote to memory of 2700	1752	44179d4fea5660f9f44da283cfc3f0ff.exe	95
PID 1752 wrote to memory of 4164	1752	44179d4fea5660f9f44da283cfc3f0ff.exe	94
PID 1752 wrote to memory of 4164	1752	44179d4fea5660f9f44da283cfc3f0ff.exe	94
PID 1752 wrote to memory of 4164	1752	44179d4fea5660f9f44da283cfc3f0ff.exe	94

C:\Users\Admin\AppData\Local\Temp\44179d4fea5660f9f44da283cfc3f0ff.exe
"C:\Users\Admin\AppData\Local\Temp\44179d4fea5660f9f44da283cfc3f0ff.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4164
- C:\Users\Admin\AppData\Local\Temp\cefui.exe
  "C:\Users\Admin\AppData\Local\Temp\cefui.exe"
  2⤵
  - Executes dropped EXE
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\kulif.exe
    "C:\Users\Admin\AppData\Local\Temp\kulif.exe"
    3⤵
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cefui.exe

Filesize
440KB

MD5
1c5fb57e597a3860049738479806578d

SHA1
a0e53c86e61dba8c1abff4467cf5d66a3169548c

SHA256
e0dca0602d827c32d1ef40780ff23c4e089f25f939096d27d738e3a67acb971c

SHA512
5bef24d22de9acc6d2f05a17a9bb9d358829b22b6a8ae4a94875043c2f13f492eb067623c3e974117535d0ee4a7c3a8d1be2fed31377f9d68413f8dc21af45d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af1e5cf5ed6011985b98cc39eaf93fa9

SHA1
2c067b9c7785461a2c078517fec4e1c7fb83ae27

SHA256
6ab545082ca5407d6784d1b91f49a5c1a38d3655dee716d6d227a1450a162a1e

SHA512
10fec80cb7565f899f86771869c3e93c32b7dcc705b7a352ba5b052e32fe43dc42d0adc0484906f83ab8aca7e33d93f345ab83f321f46d33d7f8a598fbd15c47

Download Submit
memory/1752-14-0x0000000000060000-0x00000000000CE000-memory.dmp

Filesize
440KB

Download
memory/1752-0-0x0000000000060000-0x00000000000CE000-memory.dmp

Filesize
440KB

Download
memory/2436-29-0x0000000000540000-0x00000000005DE000-memory.dmp

Filesize
632KB

Download
memory/2436-27-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2436-25-0x0000000000540000-0x00000000005DE000-memory.dmp

Filesize
632KB

Download
memory/2436-30-0x0000000000540000-0x00000000005DE000-memory.dmp

Filesize
632KB

Download
memory/2436-31-0x0000000000540000-0x00000000005DE000-memory.dmp

Filesize
632KB

Download
memory/2436-32-0x0000000000540000-0x00000000005DE000-memory.dmp

Filesize
632KB

Download
memory/2436-33-0x0000000000540000-0x00000000005DE000-memory.dmp

Filesize
632KB

Download
memory/2700-26-0x0000000000300000-0x000000000036E000-memory.dmp

Filesize
440KB

Download
memory/2700-12-0x0000000000300000-0x000000000036E000-memory.dmp

Filesize
440KB

Download