urelas | 867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 00:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe
Size

205KB
MD5

18f4738a12f6780dac73d129b589f54e
SHA1

5255e7b2aaa150ecde836a2a7854c374cd684ee2
SHA256

867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee
SHA512

8d313e3b6ce16a164ca99e320e4095bc582326af8830d8489eb505f8c58d15d2e2dd88c5c7177a6b18be404a405e2f853ebec171782a1794763ffec1b843281d
SSDEEP

3072:DPijU4kcITkEnbBvByrEVoULptsdXfBo/DBJBGzkP5knJ5o:LijBkcITtnbBvnjLpSa/5kM

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe

Executes dropped EXE 1 IoCs

pid	Process
2040	shoste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2040	4828	867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe	91
PID 4828 wrote to memory of 2040	4828	867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe	91
PID 4828 wrote to memory of 2040	4828	867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe	91
PID 4828 wrote to memory of 1040	4828	867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe	92
PID 4828 wrote to memory of 1040	4828	867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe	92
PID 4828 wrote to memory of 1040	4828	867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe	92

C:\Users\Admin\AppData\Local\Temp\867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe
"C:\Users\Admin\AppData\Local\Temp\867efa5ac64d7cdc73361bce100a1b6e7c2443aaf8f4f1141540f8de4490ebee.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f51c1462254f3bb8aa00201af0b0a030

SHA1
60d3c892bb5c4f654c318451012f936d81164418

SHA256
695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5

SHA512
41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
45f3108ffaf7cb339ee6aca9294e2824

SHA1
c58afa7f57d340d5d0ca3073f60478b496b67d8d

SHA256
77dc2a0d6fde77b51e93b03d584c5eeae02670572c537bbcdd037afacd738102

SHA512
19aa304bc25ee4de74b1ea92fe1106b66ea795c19e002a40db0a3224a90b39cbbb69d4973127bc270da54883456e720565da5b199120ec1b30eb8816ec75402c

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
205KB

MD5
cbad49216358c878e4680a4ee1f450bc

SHA1
fe729538c1ce22b4357050d0b36772876aa2e707

SHA256
5defc8752ef704f62f96ee390cc14437a89102fb7f0a7f8be776ce0224b8aa12

SHA512
300d3b69b345e560826b89da2ad7f738298e44728bee1ab041d4e58c3dea3416a0f1ea4a0f360b2b9885b53f14afd95ec8c19c65a7e0a06d419e176d7617dd26

Download Submit
memory/2040-11-0x0000000000C90000-0x0000000000CC6000-memory.dmp

Filesize
216KB

Download
memory/2040-17-0x0000000000C90000-0x0000000000CC6000-memory.dmp

Filesize
216KB

Download
memory/2040-18-0x0000000000C90000-0x0000000000CC6000-memory.dmp

Filesize
216KB

Download
memory/4828-0-0x0000000000B30000-0x0000000000B66000-memory.dmp

Filesize
216KB

Download
memory/4828-14-0x0000000000B30000-0x0000000000B66000-memory.dmp

Filesize
216KB

Download