urelas | d6d1d6fe4be85a2b54ca97dcb642c53011e5b507eeb13f5c27cfa3c2aa751103

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a8d0c692042fcace23a8b9461050ddd.exe
Size

328KB
MD5

4a8d0c692042fcace23a8b9461050ddd
SHA1

b9eb6d038650d33fe9553d4e692e25088113d91f
SHA256

d6d1d6fe4be85a2b54ca97dcb642c53011e5b507eeb13f5c27cfa3c2aa751103
SHA512

f51092c252afb5844b3e7ba4b98aeb7e329a7e05a63504a8e627d3ce2717e9edf73a5e8c218b28d11af5d32a1996e54512588688fa8ddbf29549ec656299f473
SSDEEP

6144:wObaeY8zPekKKH/hT8PVdkLHtA3nPER5oSHzZ4NyM:wOb/KKH/hT8PVdkJA3uoSir

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.184

121.88.5.183

218.54.30.235

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	4a8d0c692042fcace23a8b9461050ddd.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	opert.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4552-0-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x000c00000002318a-6.dat	upx
behavioral2/memory/4712-12-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4552-14-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4712-17-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4712-18-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4712	4552	4a8d0c692042fcace23a8b9461050ddd.exe	90
PID 4552 wrote to memory of 4712	4552	4a8d0c692042fcace23a8b9461050ddd.exe	90
PID 4552 wrote to memory of 4712	4552	4a8d0c692042fcace23a8b9461050ddd.exe	90
PID 4552 wrote to memory of 1908	4552	4a8d0c692042fcace23a8b9461050ddd.exe	91
PID 4552 wrote to memory of 1908	4552	4a8d0c692042fcace23a8b9461050ddd.exe	91
PID 4552 wrote to memory of 1908	4552	4a8d0c692042fcace23a8b9461050ddd.exe	91

C:\Users\Admin\AppData\Local\Temp\4a8d0c692042fcace23a8b9461050ddd.exe
"C:\Users\Admin\AppData\Local\Temp\4a8d0c692042fcace23a8b9461050ddd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eedb29ddd99eaacb97303426301d4575

SHA1
598485f712057df31e2318e85d17949510adea21

SHA256
79a0976bed8113f97584faf4ea7e820ecc6eb864a78b17fcdc9dcf8db252d84e

SHA512
cfcaeb5b791127f2b06cafc8590e4cc6ca2ea8a66f04abb7c6cad9bbe4ab84c819e1126b7919da68d3bdd25300866d695d40d61ab0b1cba8764c4c1dafe520db

Download Submit
C:\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
328KB

MD5
4a8d0c692042fcace23a8b9461050ddd

SHA1
b9eb6d038650d33fe9553d4e692e25088113d91f

SHA256
d6d1d6fe4be85a2b54ca97dcb642c53011e5b507eeb13f5c27cfa3c2aa751103

SHA512
f51092c252afb5844b3e7ba4b98aeb7e329a7e05a63504a8e627d3ce2717e9edf73a5e8c218b28d11af5d32a1996e54512588688fa8ddbf29549ec656299f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
62f32696e40b9df1f996c2707bb981ac

SHA1
c8110d33408b53d70148392f4c7b9248abeac967

SHA256
d49c46ff343c62a5397f95b8536103a5c19272977998155fa3f65774458f99e6

SHA512
3833b79c77bcf3a9237708fe7ff4510332ef3773d4a50694be42449743d5bbcb6c73173a45464f77239852a5a339ba05cf8f51eca536a8b6aaa53e0cf179e77f

Download Submit
memory/4552-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4552-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4712-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4712-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4712-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download