urelas | 5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe
Size

73KB
MD5

63ca74b30001f2d7debbb7a1fc8fe491
SHA1

1fcac20f88719f1a912f9af40b6a9e4919f90f15
SHA256

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a
SHA512

a2baa7c846b1000c4073b818fc478e98dcb534a7242a19eeee22e87dd493b2bbffbb19ea21cef5046989a071e7b0eb6e876b4e93e9e6c134f815224829568c20
SSDEEP

1536:JgajdM0t2hl9ET9xBOz3BODtysTHFQJmGh/ty:X32h7yxBGmtHQUGhFy

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe

Executes dropped EXE 1 IoCs

Processes:

opert.exe

pid process

3972 opert.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3972	opert.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe

description	pid	process	target process
PID 2388 wrote to memory of 3972	2388	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	opert.exe
PID 2388 wrote to memory of 3972	2388	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	opert.exe
PID 2388 wrote to memory of 3972	2388	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	opert.exe
PID 2388 wrote to memory of 3240	2388	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	cmd.exe
PID 2388 wrote to memory of 3240	2388	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	cmd.exe
PID 2388 wrote to memory of 3240	2388	5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe
"C:\Users\Admin\AppData\Local\Temp\5a032ae9b8bff08a1f03ed34c5485a4bc288204461b282b86c5babc7d10ea56a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
2⤵
- Executes dropped EXE
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
6735bbe93159782090eb9c49dde676c6

SHA1
6edec7009f27d90d36081a9d4a05fc6e6bde28e2

SHA256
f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217

SHA512
8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696

Download Submit
C:\Users\Admin\AppData\Local\Temp\opert.exe
Filesize
73KB

MD5
808b0d554155cfe4c562a58e8c29a4b8

SHA1
12693083f7989515dd6ff32e82d938543a11e1ba

SHA256
7efa5e5fe267bfb23aa35bf8ef7fd445322f76b053cc67c50756e73c51eac459

SHA512
e052b7182fa5c68e5a40dffdb7a1d2a8be0dd23d8c2dab4d9aa69850fae5d633411ed9e476537babe1b8018f88208f409e236fb406be64316212a4e94baca28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
17fe8377b691db4d279b7f52dd16d0bc

SHA1
7053710e04c73c4e962dc91d09119696b4853ba2

SHA256
f038f36f538fd3a16cc2086f51c66256a80603e2c941a123e2de9e86836f6d20

SHA512
757067c28e180ba628314be75936941dd6ff28a80f40058766d5ccc29a736beccedb3513f717d05cc0a58c7e4a4760093e5c580472610246da313ec0deea45cf

Download Submit
memory/2388-0-0x00000000006F0000-0x000000000071F000-memory.dmp

Filesize
188KB

Download
memory/2388-1-0x0000000002BB0000-0x0000000002BB2000-memory.dmp

Filesize
8KB

Download
memory/2388-16-0x00000000006F0000-0x000000000071F000-memory.dmp

Filesize
188KB

Download
memory/3972-13-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/3972-17-0x0000000001390000-0x0000000001392000-memory.dmp

Filesize
8KB

Download
memory/3972-20-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/3972-26-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download