urelas | 4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe
Size

370KB
MD5

b33392085cac871c0419f5dfe397dd88
SHA1

2d960bf4926db71fdb34d9af1e23916919e01738
SHA256

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad
SHA512

611112722e3c71fb167bbfbc2ccbff808d0c3012d7d2710b9511d84274198c75b42fcba3397c655e73d776c7b8c025b446d24e3d741e7ffd6edcc3ecd399fc8c
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCO0aHftvCGCBhDOHjTPmXHk62p8:CzGL2C2aZ2/F1XaveOHjT4

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe

Executes dropped EXE 1 IoCs

Processes:

anryo.exe

pid process

4020 anryo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4020	anryo.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe

description	pid	process	target process
PID 3036 wrote to memory of 4020	3036	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe	anryo.exe
PID 3036 wrote to memory of 4020	3036	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe	anryo.exe
PID 3036 wrote to memory of 4020	3036	4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe	anryo.exe

C:\Users\Admin\AppData\Local\Temp\4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe
"C:\Users\Admin\AppData\Local\Temp\4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\anryo.exe
"C:\Users\Admin\AppData\Local\Temp\anryo.exe"
2⤵
- Executes dropped EXE
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\anryo.exe
Filesize
371KB

MD5
7eaee461c4d41acfbbf1ad500cbf6696

SHA1
2fa5e594872e3e781880123eb5bb7716a9071bd8

SHA256
d0304215ca84c3e7c018971ddf5632e8c77e2c716586b7c8fb117666518c6808

SHA512
537691553fcb21c920ae66a03164aef9f7ca6a8a7c897ae468d4ec64be079997a4c9ad6bd30f84544be6e6097f7a3857f64ec2be4608a19be82ff6832d4c580d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
cceb732b170b4064673cd070a1f2ee3c

SHA1
b09f195e20a1b00a71a6cb365628c3c8199707f7

SHA256
de45bb4f38d370370df2a82f2cc69e6977376cd053eb8e7f4b012d1cb6e61429

SHA512
40a00cfae29e32c55f9ae1f537e07d3c2332adc6f1198ff40f0b7bf53e36212f4c65462bfb626f4eb580f3032278f92eb02091bcfeb8e1e281649dac9f776204

Download Submit