urelas | 434119bcf36903f160aa3e0099aa9374576f3280190bb4c3e6b9e824446f4cd7

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d272f969b47773ba645c703210f4f6a0N.exe
Size

82KB
MD5

d272f969b47773ba645c703210f4f6a0
SHA1

15f02f2147d65ad211c714b8f9d6d0e8f002e410
SHA256

434119bcf36903f160aa3e0099aa9374576f3280190bb4c3e6b9e824446f4cd7
SHA512

fc6f43c35aec0df682fe8f01d499d36357167908afb21e7090f6f804af9663c814620301593f8dff04907234f91d7ee07c6093974782e67c37f8e8005a62d09e
SSDEEP

1536:JmBpNDAoG2kf4F+KfQwHq0NVFXqKseZ656KqBxhKYvonouy8GVUVhzv:8hDAb2VHR5aKsDIbTomAoutGVUVxv

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d272f969b47773ba645c703210f4f6a0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	d272f969b47773ba645c703210f4f6a0N.exe

Executes dropped EXE 1 IoCs

Processes:

opert.exe

pid process

2276 opert.exe

pid	process
2276	opert.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4736-0-0x0000000000A80000-0x0000000000AB9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opert.exe	upx
behavioral2/memory/2276-12-0x0000000000DF0000-0x0000000000E29000-memory.dmp	upx
behavioral2/memory/4736-15-0x0000000000A80000-0x0000000000AB9000-memory.dmp	upx
behavioral2/memory/2276-18-0x0000000000DF0000-0x0000000000E29000-memory.dmp	upx
behavioral2/memory/2276-24-0x0000000000DF0000-0x0000000000E29000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d272f969b47773ba645c703210f4f6a0N.exe

description	pid	process	target process
PID 4736 wrote to memory of 2276	4736	d272f969b47773ba645c703210f4f6a0N.exe	opert.exe
PID 4736 wrote to memory of 2276	4736	d272f969b47773ba645c703210f4f6a0N.exe	opert.exe
PID 4736 wrote to memory of 2276	4736	d272f969b47773ba645c703210f4f6a0N.exe	opert.exe
PID 4736 wrote to memory of 1092	4736	d272f969b47773ba645c703210f4f6a0N.exe	cmd.exe
PID 4736 wrote to memory of 1092	4736	d272f969b47773ba645c703210f4f6a0N.exe	cmd.exe
PID 4736 wrote to memory of 1092	4736	d272f969b47773ba645c703210f4f6a0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d272f969b47773ba645c703210f4f6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d272f969b47773ba645c703210f4f6a0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\opert.exe
"C:\Users\Admin\AppData\Local\Temp\opert.exe"
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6735bbe93159782090eb9c49dde676c6

SHA1
6edec7009f27d90d36081a9d4a05fc6e6bde28e2

SHA256
f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217

SHA512
8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696

Download Submit
C:\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
82KB

MD5
a61d79e6d1a709caab6001686b663015

SHA1
63e4b9a318968255633ef972f8cb8e4529275d21

SHA256
3096d4a66dfbe5d5f8afbe92ba42b81118e4112634388043459f00d97570f3c8

SHA512
67be310d99076bb3c3c68d02aa8a7f0d3874c0501c0e9bf88b1823ddc2b99680e224045d618f1e1504a07737e321e2b7d321b02efbf29fff9933d2e542ed4238

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
2ed16c50805ea854a39d6ae7015615c2

SHA1
46f8bfcf8d7c593702992af51204ce68dff4cda7

SHA256
6edb32b7052e998ff2cb703e56999fe33a5a93bb5ea4ea5e294587219d675d1f

SHA512
9d4c167399477aaf13c9e41111cc95264a3c9a496ec0bc51c9de1b9345fd51d6470f52c3d4c5f12f045ff6d9f2673caa8cc920465edce2f8260139152936461a

Download Submit
memory/2276-12-0x0000000000DF0000-0x0000000000E29000-memory.dmp

Filesize
228KB

Download
memory/2276-18-0x0000000000DF0000-0x0000000000E29000-memory.dmp

Filesize
228KB

Download
memory/2276-24-0x0000000000DF0000-0x0000000000E29000-memory.dmp

Filesize
228KB

Download
memory/4736-0-0x0000000000A80000-0x0000000000AB9000-memory.dmp

Filesize
228KB

Download
memory/4736-15-0x0000000000A80000-0x0000000000AB9000-memory.dmp

Filesize
228KB

Download