urelas | 9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe
Size

520KB
MD5

7aeb4fb5521d15566fbc495db4b72cc1
SHA1

a0239f1af6ce25d4e4837a9ff7ef1ee03a11c11b
SHA256

9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37
SHA512

c3eec6503f28ee2af019ea9db49987ab5cc69737816351e6c060c7504d7566163ea45d5559a805a60f43753d27738b4c2395894d47afd43bab626984243bb22d
SSDEEP

12288:1dOLKTCqqwXCcdgT89+MvA+BisqYpxHtW:1AlQC+fs0M

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	hycyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe

Executes dropped EXE 2 IoCs

pid	Process
952	hycyc.exe
4584	zojas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe
4584	zojas.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 952	3696	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	90
PID 3696 wrote to memory of 952	3696	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	90
PID 3696 wrote to memory of 952	3696	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	90
PID 3696 wrote to memory of 2348	3696	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	91
PID 3696 wrote to memory of 2348	3696	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	91
PID 3696 wrote to memory of 2348	3696	9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe	91
PID 952 wrote to memory of 4584	952	hycyc.exe	102
PID 952 wrote to memory of 4584	952	hycyc.exe	102
PID 952 wrote to memory of 4584	952	hycyc.exe	102

C:\Users\Admin\AppData\Local\Temp\9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe
"C:\Users\Admin\AppData\Local\Temp\9dbdb6701a1cddf57b8b437e0aaa48b1134306e313becff62a76b6a5f37ddd37.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\hycyc.exe
  "C:\Users\Admin\AppData\Local\Temp\hycyc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\zojas.exe
    "C:\Users\Admin\AppData\Local\Temp\zojas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3f95bdbc3a47d2059509649c45fea216

SHA1
b0306d47dc9b09b7a9eac56a20896e4b86a13bdb

SHA256
e8facd23218ac24a5f5788d7dfc811b8bc4e0775a9d35ad23740b9d6526200d5

SHA512
3a52f2da96e72a59c6f72011d662f22692cfc76abe370ee0ea316bfbfe4db6a3bd9f67b7f37d0794a292210749742c81ef21208492aa15b1425111f4f754993b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
12357c4edc3afba16e5c1d246d3cc440

SHA1
103ff5a21f82751c4dbddee122e124e58d033a15

SHA256
9a2788e440361eb03e3a60a3df03440d7a01e6af6f192119922138c6a25f5f0b

SHA512
fb184b42d4dc0f84faa615d96e7f9b6f9d9375b3ef513ab16a80b8f9d41c792895037a8ac3660a09e42558762c63f2b312e47cf4ce0a75a67e2dce14f6173eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hycyc.exe

Filesize
520KB

MD5
e97b3c5322f9e4264b3f3408005ea41c

SHA1
46dad5fe18e26ae119e1e79e7ea36f3801823588

SHA256
82d051e8861e1b95f8cef8d1fa169f6427f23eaf834a796817316c7188763d7e

SHA512
f513d9d363bcf599df48ab1b628fcd78c2c834154fcd8daf2a8719e09c1d07cef6818530a63baf2f99861a5f9f11bc58d11fb10c6e38555871d10be4cd5db561

Download Submit
C:\Users\Admin\AppData\Local\Temp\zojas.exe

Filesize
241KB

MD5
e7e15ab146533d31a12b9dd8d5053dd2

SHA1
a2d13f0a8f11308646f5128fa52808e1f6126d9b

SHA256
37d25359250c5a7263175b2d7a77bbdbec71841494b900ea44fcc0f231b7da5c

SHA512
cb51afd9011512d92eb57cba42a13029d3c4cab45e362a033541636e1c7c96696325e5a7fbd2a5242dc6d9e2cc8e0ae60bb6c92908e9905a00e105842f5ea422

Download Submit
memory/952-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/952-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/952-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3696-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3696-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3696-1-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4584-28-0x0000000000E80000-0x0000000000F36000-memory.dmp

Filesize
728KB

Download
memory/4584-29-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4584-32-0x0000000000E80000-0x0000000000F36000-memory.dmp

Filesize
728KB

Download
memory/4584-33-0x0000000000E80000-0x0000000000F36000-memory.dmp

Filesize
728KB

Download
memory/4584-34-0x0000000000E80000-0x0000000000F36000-memory.dmp

Filesize
728KB

Download
memory/4584-35-0x0000000000E80000-0x0000000000F36000-memory.dmp

Filesize
728KB

Download