urelas | 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe
Size

247KB
MD5

6bc8b8ea22ded629343c7cd37d165b69
SHA1

ac644dbe00940622e829eea2c7ff98ddde7f2979
SHA256

1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8
SHA512

9335907ea8c7b3190adb4368238eb47b05eb279f7dc0195de681d3b33b2758377b7ef657de0d094e75606a49e97129780f6a108c68e586a4b1882c008268cc5b
SSDEEP

3072:YYB4Qlayj4kOLH7yUzOu376z6zODggW9VzzOninjdJpHk:5yQlayj4vLmar6zFVWjzzPRJpHk

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral2/memory/1784-0-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral2/files/0x0007000000023212-6.dat	UPX
behavioral2/memory/4776-12-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral2/memory/1784-14-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral2/memory/4776-17-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral2/memory/4776-18-0x0000000000400000-0x0000000000445000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe

Executes dropped EXE 1 IoCs

pid	Process
4776	shoste.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1784-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/files/0x0007000000023212-6.dat	upx
behavioral2/memory/4776-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1784-14-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4776-17-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4776-18-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 4776	1784	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	90
PID 1784 wrote to memory of 4776	1784	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	90
PID 1784 wrote to memory of 4776	1784	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	90
PID 1784 wrote to memory of 4992	1784	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	91
PID 1784 wrote to memory of 4992	1784	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	91
PID 1784 wrote to memory of 4992	1784	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	91

C:\Users\Admin\AppData\Local\Temp\1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe
"C:\Users\Admin\AppData\Local\Temp\1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
84755d526a89b1cec68d6091abfbcb6d

SHA1
c75a1553266458d5d4d6fb18291ea44563fa130f

SHA256
4485e73b8e2dd2346284b33156fcb30f8d6ab41c194933246803f1ab1b62665b

SHA512
78666508a3b72e65f9b1ec5736c88e3557023a7469be40e0a4b9e489e3b37fa6f50e87cc70779b66de19338b867e8037d572e965c4cf569dc9ef417d010f0f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
a2f1cfefee13539bee315ce711c269c6

SHA1
5a188e55886b54bdd6cc268825d0ee3238b3c57a

SHA256
541d4cb101005acc44067724797f497bc8f01efefbd2a389dcad8631cde48e76

SHA512
eb8319f51e54bc432b793444a84d0f205cfda26387e45d86e8ef96ffefe8ea21c12d0d8dcda55c63a987d40f5214b28973feb929cf5445fe86cba72cb2b87698

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
247KB

MD5
abfc2ddc2c9fa763e6af9aa16907e32e

SHA1
8162f5cf9e8a4ca7572e6bd497302507641ca94e

SHA256
98059e21b4d213d6686c7eeebc82bb2905bbaeba4ab06016a25144856f014667

SHA512
55df43192877f0fdf9b984a08c0a70e29132c7e44547048340e0d0bee205dcfb514cab14aa199ff3cb2ee50a6d5f830ee99bd2f3855afe2d83095de7c54ba23a

Download Submit
memory/1784-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1784-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4776-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4776-17-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4776-18-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download