urelas | 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
Size

999KB
MD5

804524de8c35e0f453cfccc83a5f4726
SHA1

6e476f64aeec26e3cefb02ed46d0cbbd6a48a60d
SHA256

8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61
SHA512

8c8549ee9e55bf4da6e8250c9fd5ae8cd92e0eee4a8ee1a7282360c8c9dc5e20beb8ce875581dd3246e7e017d9676054d53b962f03a91050977d16c55edb0ac3
SSDEEP

24576:1ydHl4Vi6qm7Aa1UaW7J5RzkF2o5x6RrAyB:wl4Viw7zUTNQF2o6xB

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	zypuo.exe

Executes dropped EXE 2 IoCs

pid	Process
1260	zypuo.exe
3472	jorov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
1260	zypuo.exe
1260	zypuo.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe
3472	jorov.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1260	4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	84
PID 4832 wrote to memory of 1260	4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	84
PID 4832 wrote to memory of 1260	4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	84
PID 4832 wrote to memory of 416	4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	85
PID 4832 wrote to memory of 416	4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	85
PID 4832 wrote to memory of 416	4832	8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe	85
PID 1260 wrote to memory of 3472	1260	zypuo.exe	95
PID 1260 wrote to memory of 3472	1260	zypuo.exe	95
PID 1260 wrote to memory of 3472	1260	zypuo.exe	95

C:\Users\Admin\AppData\Local\Temp\8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
"C:\Users\Admin\AppData\Local\Temp\8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\zypuo.exe
  "C:\Users\Admin\AppData\Local\Temp\zypuo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\jorov.exe
    "C:\Users\Admin\AppData\Local\Temp\jorov.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
d73c5099a0625ad707388d0850968dd4

SHA1
51dab7198c7c6487dd6c1f25f9cec58119bab9a7

SHA256
37b41dbd3c89e1d7b2828743bfac4cce87916cf671c59040cc5b7bc0ad4360bc

SHA512
578b5b256ffac7474f36317531f8f445db18c517630df93f8048bbeabee5d17199c958978c03ba40124e86416fc75bb7c64729fa75e99bc4293909742148331d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0918e43a891fbf2123597860cee7563b

SHA1
6346bd35d89d4562d2ca8424371dc15ba0a8a8b8

SHA256
2eeb26d3518fda8799e63b51f9324932b0358da5554e2cd3f7e23929df04f3d5

SHA512
c5167dfab9848bf239d9d62dbdac41f97c719a47fa49ebd0cc9073932355a0c4f58faebceb83d4491268ddaa1abcfd465d57926af783e7b8163d670d854526ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jorov.exe

Filesize
416KB

MD5
6c7c8ee6074b0051142af468b17f6e20

SHA1
4503379defc31ed2baf309e46e833138a4085f1b

SHA256
6fee1670f69cd19c6580866622107864c43f46344c5830a0cccc44a8b290df2d

SHA512
f92a41a03cfda72e1ea0c237e93237575afc73816e0a0a1dd6bb7d8d300689e4316e5bc75aa2534b9bcc33ac0ff9431ed274d085404b3c08cefa0a06785cbb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zypuo.exe

Filesize
999KB

MD5
e57559edfde767788e81e7ff6326f3c7

SHA1
128ab2d570cb245559864ea92a60433757ff41cc

SHA256
b45c65f1eb12bc921709bb6732d2581e74df88fd5a08042c125cfc889998b2bf

SHA512
84b2825f13fc5ca8259fecd1333376b9a8407e2bae1f2c649a43f4ca580ffec4cc963f07698da6f51c868a964927b625228124f2087ee36c183c60f13fddd849

Download Submit
memory/1260-10-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/1260-17-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/1260-26-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/4832-0-0x00000000008F0000-0x00000000009F4000-memory.dmp

Filesize
1.0MB

Download
memory/4832-14-0x00000000008F0000-0x00000000009F4000-memory.dmp

Filesize
1.0MB

Download