urelas | 6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe
Size

428KB
MD5

bb8663547fbc759185db8ba625553cc6
SHA1

2de3fa6319b6ee87da1abff5be86b6e9bc342efd
SHA256

6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877
SHA512

d9966e09bbb7e95ac35c5c3ae11a96bf0d41d3ba82f6eff7919a73ee98798842547e5f55ee14dcfb95fd7cc29e2bcccfcc10e2d490c559935d88fb27f8148dcd
SSDEEP

6144:hGOMmhsKI2ir5crKFHLZx2LpLDXeZOXOS/6zbx:hGOIB5crKFHLZx2LpPeZOG

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

F121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral2/memory/4020-0-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/files/0x000d000000023163-6.dat	UPX
behavioral2/memory/3608-12-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/4020-14-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/3608-17-0x0000000000400000-0x000000000046A000-memory.dmp	UPX
behavioral2/memory/3608-18-0x0000000000400000-0x000000000046A000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe

Executes dropped EXE 1 IoCs

pid	Process
3608	opert.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4020-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/files/0x000d000000023163-6.dat	upx
behavioral2/memory/3608-12-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4020-14-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3608-17-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3608-18-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 3608	4020	6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe	92
PID 4020 wrote to memory of 3608	4020	6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe	92
PID 4020 wrote to memory of 3608	4020	6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe	92
PID 4020 wrote to memory of 3396	4020	6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe	93
PID 4020 wrote to memory of 3396	4020	6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe	93
PID 4020 wrote to memory of 3396	4020	6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe	93

C:\Users\Admin\AppData\Local\Temp\6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe
"C:\Users\Admin\AppData\Local\Temp\6dbfd0bcfac3795c45eaa45eba1e1d3b5d54e3ebd9e8832250a5f7a367754877.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
148afafb753f7bfaff11ca52af05579e

SHA1
c9c282c60a331e8fc817820bebbe4e8828de2e33

SHA256
a9b0968de865b7d71a7bf355fd54fc36fdec6ad8ea540ed1e4764bfe4a951149

SHA512
63dbdb7932bb91ac2376cc6a30f6b7205a4b5059753836640a99ef3c86ffefd2190420a4df95c31da4b06c77966f45544df72e0e38c88d7f5f9f056c9b570b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
428KB

MD5
aa579ba181201957a474ff7d1f57ed8d

SHA1
c48954a64ab83fdc20cd95d146467fd2701798bc

SHA256
93c904af40503c24ba12007f94f126438cd4c007d6c111dfaa69a8e691b060d0

SHA512
344db1fbc9c863f5c7801d29dda8d490bc4d63e36347d61123d1a6ec97ebc9bab4c10651ae249b78ce47d0a869baf71e757426264d6f359c463afaaeb96b0172

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
100fb2c92200902dde8a72fab891bdb5

SHA1
f63c37461a382a933638fc0abc7f993051e881a0

SHA256
abcf741ebd9b338def3ef3b9bc2e1408ac3481f55d71ea346ec2ea3c328f51cc

SHA512
d44dab07b6cc0eecb611dab81ce3d4a714ddb51d4bca43e8b86a62464ba6763c8f6871a5ac1a3ac5f2d3fb280b92346c34f67b3942bba5b43b72595145a409ff

Download Submit
memory/3608-12-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3608-17-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3608-18-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4020-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4020-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download