urelas | 9d95423e39f83c4ec2a0a0ff65caa3aa31e43fb1c310ec19030dc3c5797300cd

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7Y18r(153).exe
Size

214KB
MD5

4563c37b9f722ce72a16aa7b9e33a260
SHA1

b7cbf85e2a5d5138620c3624a2db1d6c59dd453c
SHA256

9d95423e39f83c4ec2a0a0ff65caa3aa31e43fb1c310ec19030dc3c5797300cd
SHA512

d7e14e557cfa1684817212413fece2ea3604ae4f12439d61e077056dc34dcef104ba306a15cb0fda0f30e748ef5cf0404a46790f617624fb746bc16f0aa5368d
SSDEEP

1536:1q1utPdWHdPEzoT2/VhWbnoZSKLfiGGPgq3ePAH8PNqWxCxrR/x9sU4BHk:1fPdWqV0CvL6GGCPNqWUxrR/x9sTBHk

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7Y18r(153).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	7Y18r(153).exe

Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

1808 huter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1808	huter.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe7Y18r(153).exehuter.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7Y18r(153).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7Y18r(153).exe

description	pid	process	target process
PID 3428 wrote to memory of 1808	3428	7Y18r(153).exe	huter.exe
PID 3428 wrote to memory of 1808	3428	7Y18r(153).exe	huter.exe
PID 3428 wrote to memory of 1808	3428	7Y18r(153).exe	huter.exe
PID 3428 wrote to memory of 4584	3428	7Y18r(153).exe	cmd.exe
PID 3428 wrote to memory of 4584	3428	7Y18r(153).exe	cmd.exe
PID 3428 wrote to memory of 4584	3428	7Y18r(153).exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7Y18r(153).exe
"C:\Users\Admin\AppData\Local\Temp\7Y18r(153).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8c69e006046149f40585fb3e1bfafb4

SHA1
97073fb1d116248dbecd009e4bf873ab45c6c2da

SHA256
df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

SHA512
b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
214KB

MD5
f78f4267bf695998231d9ac5031126e7

SHA1
ead4a71993052db43524a98ff421c8800b2c0faf

SHA256
b6d6d7ee0e2a7bd30c737f071fcdb32dc0275fc873b817b2d00ec3a89991b0ca

SHA512
046dca87ce3d9a8da61c7e0c643e87d84eb7b41d1a08d652f61a2ce02c60b0ef2c6bd69e8a55b68f43f844f7089d149625c84427dbb6aa3057b90b3c92845fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
230B

MD5
4368cf8b2637c6f304a375946ef66890

SHA1
dc5e592bf9006432d8df020fac532749b167c99c

SHA256
5133ffe620012062235e63756c177f073205f1fd9a1c6bc971e733b39712efaa

SHA512
0faa6fab28ffb46da544d89807fdf7a01291043792b3c172abc0579e4795cff385773237b2280112523f829782c3c0169dd0dcd672904f4f593c2a616221de6f

Download Submit
memory/1808-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1808-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1808-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download