urelas | 47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe
Size

446KB
MD5

bcc572ad110d485fbcc2040142047a3f
SHA1

edf00e9575c935345e262d3cdc7a2cc26b0f5134
SHA256

47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c
SHA512

4ab058ec362875c9831f95bdae0f7d86294c84a605269b95da75fb83413e133164bc00de8c5e6425874dc798eb287445caa8efc40cbf6773ae8fad6591e30506
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMC/s:rKf1PyKa2H3hOHOHz9JQ6zBI

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	raarh.exe

Executes dropped EXE 2 IoCs

pid	Process
4828	raarh.exe
1280	yfsia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe
1280	yfsia.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4828	4892	47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe	92
PID 4892 wrote to memory of 4828	4892	47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe	92
PID 4892 wrote to memory of 4828	4892	47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe	92
PID 4892 wrote to memory of 4904	4892	47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe	93
PID 4892 wrote to memory of 4904	4892	47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe	93
PID 4892 wrote to memory of 4904	4892	47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe	93
PID 4828 wrote to memory of 1280	4828	raarh.exe	107
PID 4828 wrote to memory of 1280	4828	raarh.exe	107
PID 4828 wrote to memory of 1280	4828	raarh.exe	107

C:\Users\Admin\AppData\Local\Temp\47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe
"C:\Users\Admin\AppData\Local\Temp\47c87e88e6b4fb77a65a96942beb1b151210e836e54f94aaf8a3a586d00b4b7c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\raarh.exe
  "C:\Users\Admin\AppData\Local\Temp\raarh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\yfsia.exe
    "C:\Users\Admin\AppData\Local\Temp\yfsia.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2c79a6508c12c4326930687bfd81754d

SHA1
2785ae4e891e7f96f4da6e39df36f2aaa970b146

SHA256
2c03aae95cdb3c43d7ec49fa4c72f64d5df0f14f69e91bff1f583e0c4e0db078

SHA512
c42146d616d387de9871d324c5900070733b1ff3dc196e6dd2ae65df6c5902cf6e9f3c34d6d60cd62b134c9d82a7d24909e8842cc9832433824c82043c4317c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6e8ab2d3d39649acd61475979ee1876e

SHA1
94cff5c8da4de3136caf6098a8ed9c4b0b39df4f

SHA256
7aa4ac18f0bd358719fd6d9a8c85497a84ead22980510b6bc499bb73f10fe805

SHA512
f399ae1864e6a1dda816c7dad28272c0d5b0df0d63cbb4e5c1374684156f1e5c4e8f58cbd1501689c4dd5eab3b0c57f09d722aa02c1ed78f417dc1a9895aaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\raarh.exe

Filesize
446KB

MD5
f000a613dbf2b38d630d160d42af83e9

SHA1
32ac952faa47490f9aa2fe17897598bbf88aa452

SHA256
6bf3b5f37ee9c376b5b8dbe3fd088626b92bde8330d45675d18acd97eed64b2c

SHA512
594f4d3fddadfcf67a51610e77d3bed7d819e90fc6f465650af5fea9bfe26d05b67f6947789b88cfb07be2cac0e554f39c2c6380f46223516ce62e24582ac83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfsia.exe

Filesize
230KB

MD5
4824136e1aa48f2c2e705c15eed0f811

SHA1
3c41aeae3a319ddf7e101e07babd22961213d03c

SHA256
ec27189e814697bd20e1c87c3020fb98d5a84c790e064b88333b0b5bf63fea43

SHA512
461435108cf3f232dddee1bddc12904e99bb021136d266e8c7eeae0636d7882aff4f1259a9156bd1b38ce9250eb304d06594a32122befc291320bc808fb1cdf9

Download Submit
memory/1280-27-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1280-26-0x0000000000BA0000-0x0000000000C3E000-memory.dmp

Filesize
632KB

Download
memory/1280-29-0x0000000000BA0000-0x0000000000C3E000-memory.dmp

Filesize
632KB

Download
memory/1280-30-0x0000000000BA0000-0x0000000000C3E000-memory.dmp

Filesize
632KB

Download
memory/1280-31-0x0000000000BA0000-0x0000000000C3E000-memory.dmp

Filesize
632KB

Download
memory/1280-32-0x0000000000BA0000-0x0000000000C3E000-memory.dmp

Filesize
632KB

Download
memory/1280-33-0x0000000000BA0000-0x0000000000C3E000-memory.dmp

Filesize
632KB

Download
memory/4828-12-0x00000000002F0000-0x000000000035E000-memory.dmp

Filesize
440KB

Download
memory/4828-25-0x00000000002F0000-0x000000000035E000-memory.dmp

Filesize
440KB

Download
memory/4892-14-0x0000000000ED0000-0x0000000000F3E000-memory.dmp

Filesize
440KB

Download
memory/4892-0-0x0000000000ED0000-0x0000000000F3E000-memory.dmp

Filesize
440KB

Download