urelas | 293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe
Size

58KB
MD5

69f61954dc6135d6aba3417742f0b73c
SHA1

127bcff9611f2449e8fd84cd93e8672b1862bd0c
SHA256

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913
SHA512

ba47712fafd18e8755ec2af667e86a4b5d466210cbe0b959da9f88a7d3d61804f2e3a07c2de16ac7398c82cd7a04b1cc9bbddb93928fed999540235162cb32b2
SSDEEP

1536:l7X2lykmUO2drIYfdQ3W8PTZEd4Ejf/kE/Q6mhnDxMmKy6:VXmykmU9If3h1O4Eb/eOX

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe

Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

3996 huter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3996	huter.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe

description	pid	process	target process
PID 1108 wrote to memory of 3996	1108	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	huter.exe
PID 1108 wrote to memory of 3996	1108	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	huter.exe
PID 1108 wrote to memory of 3996	1108	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	huter.exe
PID 1108 wrote to memory of 5060	1108	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	cmd.exe
PID 1108 wrote to memory of 5060	1108	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	cmd.exe
PID 1108 wrote to memory of 5060	1108	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe
"C:\Users\Admin\AppData\Local\Temp\293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
14ab4579b6f3a97ff1099d4591f166c1

SHA1
9379aa65d3bfd4f819f06417b90dbc9ec7bc1354

SHA256
1bf9ad4eb9a6ec73fdd5bd94de5ffca1d94a48707f5a2818d5fcd68033cf1101

SHA512
a6342bf2172f65e4541230f91249c77e5ef2e558acaa91caec520fc4b2ca2f57a4f687c62227a7d20b0264b41bd88f6ad3d38d23bcf571165693b861232c4ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
58KB

MD5
3a4c9e963a7c7aeefc7ad4e4801c16d6

SHA1
723b022ac8fa105f638ac51caf6a96e0567b5dec

SHA256
435e7b9f9c845230f1d413d0b0560e1c933df0075224e8c275fd99b35b5a9cb8

SHA512
692c056915e5de36ca55b25394ae7bac8c8337f64b8d3516571e0c630ccb8d10641eb149a607aa772cd9e959ca0c4d697a8864290ca5a6edd59ddc7af35b6f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
44d252b1ec954ab24c1b4faa5cf7c92b

SHA1
e0017dc235a1257bfa7299811188c37c7594d064

SHA256
34d2403b03da79cc2431d7cddd11aa04e8036cfc4c696c59d6d7c642f94e16b6

SHA512
a86408cd8eca2fdf43d442537154d6c5bc557a045e471f700b8ac4797ec31beabbb2c54e380f393bf94dad6472ecc9acb63dc60ee3d3883decbe596fc43728ee

Download Submit
memory/1108-0-0x0000000000DB0000-0x0000000000DE7000-memory.dmp

Filesize
220KB

Download
memory/1108-15-0x0000000000DB0000-0x0000000000DE7000-memory.dmp

Filesize
220KB

Download
memory/3996-10-0x0000000000D40000-0x0000000000D77000-memory.dmp

Filesize
220KB

Download
memory/3996-18-0x0000000000D40000-0x0000000000D77000-memory.dmp

Filesize
220KB

Download
memory/3996-20-0x0000000000D40000-0x0000000000D77000-memory.dmp

Filesize
220KB

Download
memory/3996-27-0x0000000000D40000-0x0000000000D77000-memory.dmp

Filesize
220KB

Download