urelas | 3c76b9859afeb266484593f3cfd4b7e6af989e655313c0080a523ec5c85bcdb2

Analysis

max time kernel
141s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba13f33cfc5b100a74c247810382860f.exe
Size

49KB
MD5

ba13f33cfc5b100a74c247810382860f
SHA1

7727774b9cc59f36eac88f05747bd929bfefa806
SHA256

3c76b9859afeb266484593f3cfd4b7e6af989e655313c0080a523ec5c85bcdb2
SHA512

4ae5b60c47d8ccec120290cf8b589ca5be485166c482c5c57c4606b0028f22587503cc251fe29ba300dfabc2978add745f26e2f8da1e4a8fc1314f970d125f1d
SSDEEP

1536:834/PC7Ruz3hRXRASULZ6JKYdbzcmhCZn:It7R8fU6n8

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ba13f33cfc5b100a74c247810382860f.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	mokdhft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2440	2804	ba13f33cfc5b100a74c247810382860f.exe	97
PID 2804 wrote to memory of 2440	2804	ba13f33cfc5b100a74c247810382860f.exe	97
PID 2804 wrote to memory of 2440	2804	ba13f33cfc5b100a74c247810382860f.exe	97
PID 2804 wrote to memory of 4152	2804	ba13f33cfc5b100a74c247810382860f.exe	98
PID 2804 wrote to memory of 4152	2804	ba13f33cfc5b100a74c247810382860f.exe	98
PID 2804 wrote to memory of 4152	2804	ba13f33cfc5b100a74c247810382860f.exe	98

C:\Users\Admin\AppData\Local\Temp\ba13f33cfc5b100a74c247810382860f.exe
"C:\Users\Admin\AppData\Local\Temp\ba13f33cfc5b100a74c247810382860f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
  "C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
49KB

MD5
59d7e5e8eb6710bfad818a2c4259f776

SHA1
bbd1debc8e2e384b4689ac11fea170fd7b49d117

SHA256
6dd6f00f5680794e6ef15b379469969519befe58b39770060213c7166ac469e2

SHA512
b01868153ace756813f707860186c74d795da8f918f6b50189b1dd3408bc94e6fb3447810e9e5d063b8758ec54831116d045a8c4597091fd451c42ec5959a73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
013c1ea119ff83a4c38a9cbd16796d9d

SHA1
7072aa23a0f0a8e67ea056e82d49ce86a6d5135d

SHA256
f60232dd8af93b0214ad25da561d5cd5650e077dfb2457c68b0fcc220cc87e63

SHA512
29a31b79a4da37a9c5f2077e58317264919f767d8877c521a7f7c4199ea11bf10b5f9aa623b0e1ca03f41ba47312c80d7e345b7e0bc8e868e4cbde9c7049a82e

Download Submit
memory/2440-10-0x0000000000D00000-0x0000000000D33000-memory.dmp

Filesize
204KB

Download
memory/2440-17-0x0000000000D00000-0x0000000000D33000-memory.dmp

Filesize
204KB

Download
memory/2440-19-0x0000000000D00000-0x0000000000D33000-memory.dmp

Filesize
204KB

Download
memory/2440-25-0x0000000000D00000-0x0000000000D33000-memory.dmp

Filesize
204KB

Download
memory/2804-0-0x0000000000D20000-0x0000000000D53000-memory.dmp

Filesize
204KB

Download
memory/2804-14-0x0000000000D20000-0x0000000000D53000-memory.dmp

Filesize
204KB

Download