urelas | c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4

Analysis

max time kernel
134s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe
Size

94KB
MD5

4aa063ba4fb63ff349391c6592e4e14a
SHA1

b1640b759c5fbbb35ce1faab74c63866d4c0a54b
SHA256

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4
SHA512

2466a38f714d8255c846b0502618d41179c1c0fccbdcfd7ad5a43628811aa768b447c0a7edf4f1898cc1fd90be5457710df05788dadfc67d7f6fc6077e239651
SSDEEP

1536:NzPr/365lm9HM3RgIHYBv1osX1XCDN/on9CW:NzTS5lm9aRgCkgR/onEW

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Detects executables built or packed with MPress PE compressor 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/220-0-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Local\Temp\pfpt.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3432-12-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/220-15-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3432-18-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3432-24-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe

Executes dropped EXE 1 IoCs

Processes:

pfpt.exe

pid process

3432 pfpt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3432	pfpt.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe

description	pid	process	target process
PID 220 wrote to memory of 3432	220	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	pfpt.exe
PID 220 wrote to memory of 3432	220	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	pfpt.exe
PID 220 wrote to memory of 3432	220	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	pfpt.exe
PID 220 wrote to memory of 4632	220	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	cmd.exe
PID 220 wrote to memory of 4632	220	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	cmd.exe
PID 220 wrote to memory of 4632	220	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe
"C:\Users\Admin\AppData\Local\Temp\c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\pfpt.exe
"C:\Users\Admin\AppData\Local\Temp\pfpt.exe"
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
7cef10d017255fbbe3cb8d4f7cc3fa1b

SHA1
2bdd583439b73c33e5ef05547c2db935776bb9d3

SHA256
47c244e8bd413f9371a43336a501e3c3f98f885136fec0b36f661eb7273365f1

SHA512
e9c3818e6ef10c4c16743abd3a155528d65230e0e160c93c4f83ee14b7b9c0196f7518aa2f2e76aad4aec3f821d7cdb43bbd2bcd2dd283298aad09a19f457254

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfpt.exe
Filesize
94KB

MD5
549b5993cf33648fde97c1bb076ad983

SHA1
08bfe7c27e71f70e8a7323a11c0fead7c2d4b3de

SHA256
61f31792fe81a51d372a7a22ba504a42699bb1d905a271a775814a0e62fb6eb1

SHA512
a84e1e0d1e458b34a1f75f57963b1838e7e563f2d1bbf1461e518a218c7e7855f236814e016893515ee94310ffb0db1705548f07f73b724cdbdb513a8546045a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
b765cf78bd8e5d1eb92ef5aa91716198

SHA1
954f22c754565a4c1d61f38e73a1b19ad1cdbce0

SHA256
cfe385e5d94452ebce5cf5443af521dd70ad42a9c90be6b57e5616ba8d9a932e

SHA512
abf4ad7858f694bd9cfe825833426eaaf1d0752f515db1848c1350bbe0fb1348d8a4f61cb41c7c48704ad0a00f6ed3b4b25d36644795f20c59f36c61cb2736f4

Download Submit
memory/220-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/220-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3432-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3432-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3432-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download