urelas | d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50

Analysis

max time kernel
115s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe
Size

234KB
MD5

e0b44d97a6ad7f788e6d23ebcdd0b4a6
SHA1

e1cfab504d60b9d43c176b7ceb4ce977f8673025
SHA256

d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50
SHA512

f29bc9dfffdbdc0c95cefe52dca52f513f403faa85e37f1e6cb2b52718e60a115aa2500d1c5514da93da0f588bac3f7af38e4f8b10f3203268c74479c41530ac
SSDEEP

3072:Adrb8W+tGKqLDphy9q65kOVp4lwlq1/9l53GdeItG+XNcX1Mg:A1QW+tGFLVRXOVuwlqpAN4lMg

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe

Executes dropped EXE 1 IoCs

pid	Process
3456	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 3456	1756	d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe	93
PID 1756 wrote to memory of 3456	1756	d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe	93
PID 1756 wrote to memory of 3456	1756	d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe	93
PID 1756 wrote to memory of 236	1756	d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe	94
PID 1756 wrote to memory of 236	1756	d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe	94
PID 1756 wrote to memory of 236	1756	d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe	94

C:\Users\Admin\AppData\Local\Temp\d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe
"C:\Users\Admin\AppData\Local\Temp\d5911d52b274c81999acea9ca76c22c065e3a530da6d0e5fceb283cb1bc22b50.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4432 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
38df3cee9628e806ae028a55840b216e

SHA1
bd1faa7e39dbf5f8d7a8749e81a45edb29998d2d

SHA256
778e377beba133790823de61cffba536573321eb8c2a432f570647af685a868a

SHA512
d6648c439438bcb9e0080bd5a07483d4b05d5e81d69b09b5eb46e6422fc8b86c08fc5f5e9d169d54f26becacfdc43ef4609c22aa9b3dc19b472a8368c0913feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
234KB

MD5
3c556d5fe51935e57e85e7847c1ea05c

SHA1
097f504ff7666536be1f70ed27d158cd2f8dab66

SHA256
a13e1e28b5ed4ceea8a12c39795a3da1c189b09e6aa4d8135727a718f5649930

SHA512
ee96d206771a60738c91fc11799befb18b8e275c551f419679ad26c32ef078252659890441ec8ec9cb3099d95d1ea0f4a51aacce1811c4d5c56dc7f2bb9b0f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
e4e71c45bcdc238b4c50e93ccbd33a60

SHA1
f850d279115f8a24e538468704dfe72378d4fb79

SHA256
55c3cb49b676c4d0013f35fa92819afdb5b714053b1a572e1c9143a7ca914f40

SHA512
374e5d256f0345dedc2be45b61424c1185997fc5a80d02887248555a3ad705afbbf2f5a4c57844253931e9ac5ff0f5c6bf1b934f1cb66c5c43a35132dfd85973

Download Submit
memory/1756-0-0x0000000000100000-0x000000000013D000-memory.dmp

Filesize
244KB

Download
memory/1756-14-0x0000000000100000-0x000000000013D000-memory.dmp

Filesize
244KB

Download
memory/3456-12-0x0000000000B60000-0x0000000000B9D000-memory.dmp

Filesize
244KB

Download
memory/3456-17-0x0000000000B60000-0x0000000000B9D000-memory.dmp

Filesize
244KB

Download
memory/3456-18-0x0000000000B60000-0x0000000000B9D000-memory.dmp

Filesize
244KB

Download