urelas | afd5947c53ec3fbfa05babc02f2a638c6b9a59d1303bd9802ad23584465d91eb

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3775cf3ffe36b9c5cfb9f37ad5e638.exe
Size

415KB
MD5

fb3775cf3ffe36b9c5cfb9f37ad5e638
SHA1

fe8ce16de51789591531d2c30813329a49953326
SHA256

afd5947c53ec3fbfa05babc02f2a638c6b9a59d1303bd9802ad23584465d91eb
SHA512

ad3366cc580c7e6271747f004683a5d043dad0d57b62d83ca98ab37d985b37295510a02e5bae7ff60497f3d57419710b9a53555c0fd0e0fdea70084ef999fc6e
SSDEEP

6144:bzwArTEDSCs5wL0DKlpn/URBudL7qRBpkvfsModogZ/SvnDTH95r:bMmQDSCs5wo0e8L7qRbQUugennHX

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	hinuu.exe

Executes dropped EXE 2 IoCs

pid	Process
1008	hinuu.exe
3256	bykid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe
3256	bykid.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1008	540	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	91
PID 540 wrote to memory of 1008	540	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	91
PID 540 wrote to memory of 1008	540	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	91
PID 540 wrote to memory of 320	540	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	92
PID 540 wrote to memory of 320	540	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	92
PID 540 wrote to memory of 320	540	fb3775cf3ffe36b9c5cfb9f37ad5e638.exe	92
PID 1008 wrote to memory of 3256	1008	hinuu.exe	100
PID 1008 wrote to memory of 3256	1008	hinuu.exe	100
PID 1008 wrote to memory of 3256	1008	hinuu.exe	100

C:\Users\Admin\AppData\Local\Temp\fb3775cf3ffe36b9c5cfb9f37ad5e638.exe
"C:\Users\Admin\AppData\Local\Temp\fb3775cf3ffe36b9c5cfb9f37ad5e638.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\hinuu.exe
  "C:\Users\Admin\AppData\Local\Temp\hinuu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\bykid.exe
    "C:\Users\Admin\AppData\Local\Temp\bykid.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
1750aa75e225f011f32fc32e633fd45b

SHA1
60bcc738c3e74d6e5767e33434bf5d44f9d38287

SHA256
ba68800b86f85fd03d60200be65a883fe54e2378b8c74d176cda495567cc6f81

SHA512
8eb27ba9f6529af41309758d9066724ec664e3c7408cd279ed610e06e66bf2a64333ab4792004cc9d1728e40b10c0f8ccf91fd56195734485b5b83185a9055dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bykid.exe

Filesize
175KB

MD5
7d61ef10f759d6fbf6e86cbfa3fad27b

SHA1
6763212ed567b8ca13b0c100d33d4f7f7099261e

SHA256
44e8ccc96985a47aae04e5a4253a227b4e4ee85d23a96d113618ac270037a730

SHA512
610273b589feb0748ca569688dad334aa21e6eb7edbadf4240e06b77e37ceb0d5de42f521903d96a91672746ed68116ad6c74d0a10a774b0d3d2b04245fd0648

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6d95a24c9c89b3885fe21a956c5ea7b8

SHA1
73a9c205e754eaead36988d8127339bf6692a8d8

SHA256
c56a89b51d1c5293aac799241783cdb8de4fc05a21dd82ad58f8354a546812a5

SHA512
36e62b54fbabf3f407b6b7d73973af112afb76db7d11f99b9f4b8ac8143bffcae4f365230ce71389e293b64ae44ddb12247baf9e8fffbb3946a1a616381e49fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hinuu.exe

Filesize
415KB

MD5
e5e45cfc0d87a7c7d320eed1a1873343

SHA1
267c7e2aab48ea3f355e16df75409b35fe0f1dba

SHA256
027a66df2ca0dae060d68c4bf70508f459657def665b1661fbe3b96a3a7a70de

SHA512
26f4e5b9c74d586ffbbb4b1c190879a74162e87aa6b99f5c892d418f22f12211b884e32d6cd5c01435a45d7d328893bf8d91f2de6ff3c70326a9516b17d6a753

Download Submit
memory/540-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/540-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1008-12-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1008-26-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3256-25-0x00000000001F0000-0x0000000000280000-memory.dmp

Filesize
576KB

Download
memory/3256-28-0x00000000001F0000-0x0000000000280000-memory.dmp

Filesize
576KB

Download
memory/3256-29-0x00000000001F0000-0x0000000000280000-memory.dmp

Filesize
576KB

Download
memory/3256-30-0x00000000001F0000-0x0000000000280000-memory.dmp

Filesize
576KB

Download
memory/3256-31-0x00000000001F0000-0x0000000000280000-memory.dmp

Filesize
576KB

Download
memory/3256-32-0x00000000001F0000-0x0000000000280000-memory.dmp

Filesize
576KB

Download