urelas | 6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 22:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe
Size

322KB
MD5

c5f6b9312e45926c423a5169b31ab73c
SHA1

11527c0e86602b2e7cd75c06358d3f7ac521ffc8
SHA256

6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e
SHA512

3560208317666a7a580f7b6c5a00a761965cf500abb8f5f3d5136c8bf4ae015b530170e3d9c810e506a836b9641571ad9d0699fa9666cf228acd0694a49195ac
SSDEEP

6144:TOAztL6W+JJMPkZ5tJb52Wd83erDPKmjxTz7HbYcPCVYhg+KI1:TOMFwMPkDH/QiPLxvzblu2FKe

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe

Executes dropped EXE 1 IoCs

pid	Process
4164	votii.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4164	2360	6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe	87
PID 2360 wrote to memory of 4164	2360	6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe	87
PID 2360 wrote to memory of 4164	2360	6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe	87
PID 2360 wrote to memory of 5104	2360	6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe	88
PID 2360 wrote to memory of 5104	2360	6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe	88
PID 2360 wrote to memory of 5104	2360	6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe	88

C:\Users\Admin\AppData\Local\Temp\6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe
"C:\Users\Admin\AppData\Local\Temp\6cd2196539fae6a03d8e45e8e74d6d0b8e13288ec55a24dcce42e6282d33bc3e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\votii.exe
  "C:\Users\Admin\AppData\Local\Temp\votii.exe"
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3767a042daa72d1fcc0697a0e2042f54

SHA1
6f435fd82a378829ef079b8a0333f846a32e0cc6

SHA256
791cb30b0b055978c159224ac296f22bb8ce78b3ee8af5fadb46329a572d2e95

SHA512
e7d4236f41dedb1b1b8f2363c3ee0f1de9025d6c26abeaff03ffb4f96ee392d60633b5d5ffa84c5a9ef4af00d5cbc1e77a48db207b5214f7e0035432cba1f2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9bbe472c950b611ccd0ca0faeaa41e53

SHA1
d3350e96a9373a95b9954c9be55d24640cb7987e

SHA256
668b2032092d7d08194c51cf4c49097e01353a7997d9e32852d8f0b2ae1556e6

SHA512
b107e17ff4a0e3ce07c9df37e9eaa236346b979e47cbcf8258813ed919ee72c89aff564873cf88b6484cd60aea90e8560a4bab9b9a37416158ffc0825b2d4a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\votii.exe

Filesize
322KB

MD5
a619037fdffa5c84e93d7201f2405dc0

SHA1
7217c42916d18b349f1707bab1c2e58f6dcd2294

SHA256
56323c4cbf8c23d4c246385dc8cf81dac7f698860b245841fb573e9ee104a89c

SHA512
a47486763fcddbde8321ff56fe7764e7e0cf35cb31f5a2290b2d1edb904fac17b6f742fcf7fb432e9ba8c340549a6cb7f9461880a2029a0309ee0ada98a0ec64

Download Submit
memory/2360-0-0x0000000000980000-0x0000000000A2D000-memory.dmp

Filesize
692KB

Download
memory/2360-14-0x0000000000980000-0x0000000000A2D000-memory.dmp

Filesize
692KB

Download
memory/4164-12-0x0000000000770000-0x000000000081D000-memory.dmp

Filesize
692KB

Download
memory/4164-17-0x0000000000770000-0x000000000081D000-memory.dmp

Filesize
692KB

Download