urelas | cf5fcd1ce26d83b71539b0edc1208adec76cf97e232d8156c8adfddb9d65b437

Analysis

max time kernel
134s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LisectAVT_2403002C_109.exe
Size

164KB
MD5

6dcfa266f1fa61e2c654eab023ee2333
SHA1

9e1f2e7c59a64168e9d12464d4839a6fc834645d
SHA256

cf5fcd1ce26d83b71539b0edc1208adec76cf97e232d8156c8adfddb9d65b437
SHA512

185c9e64f795d1518983a1662a656de7996064753ae4a8bf374de941d948d7a7600e99e495a5c2b8284f6b2978615a9fc979ba144d01cf3f07092f50cd9305f4
SSDEEP

1536:TBozpvLpc3lM8/KedqfTnB8Yux9W1jVTTZufp6kKZLVBzRIUggnZkHuoILpPhHqH:NUvLa3mfTpNuAkKZZBdBeHuoILpPKoxk

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LisectAVT_2403002C_109.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	LisectAVT_2403002C_109.exe

Executes dropped EXE 1 IoCs

Processes:

poldge.exe

pid process

640 poldge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
640	poldge.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeLisectAVT_2403002C_109.exepoldge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002C_109.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poldge.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

LisectAVT_2403002C_109.exe

description	pid	process	target process
PID 1040 wrote to memory of 640	1040	LisectAVT_2403002C_109.exe	poldge.exe
PID 1040 wrote to memory of 640	1040	LisectAVT_2403002C_109.exe	poldge.exe
PID 1040 wrote to memory of 640	1040	LisectAVT_2403002C_109.exe	poldge.exe
PID 1040 wrote to memory of 3772	1040	LisectAVT_2403002C_109.exe	cmd.exe
PID 1040 wrote to memory of 3772	1040	LisectAVT_2403002C_109.exe	cmd.exe
PID 1040 wrote to memory of 3772	1040	LisectAVT_2403002C_109.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_109.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_109.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\poldge.exe
"C:\Users\Admin\AppData\Local\Temp\poldge.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af6f90fee60d60070d9076eba7533c76

SHA1
015da84cb0cfce8699e8b1937dfac54a15e7e792

SHA256
14360d90f621ef9e1d84b269de67f782c9f6a904cf3226c2724d4898c157b687

SHA512
53ce60ef6f9dc9241d106d4e160833430e7855a221babf9835578096313a7a8ba1285df8d5620850ffe9f41f860e04e758a2f0be6fe688a87ea13d780234c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
164KB

MD5
b265483e3c718a0198b605d24fa94970

SHA1
f9f143029f6520df892a5131e6ef2335dc45e955

SHA256
7820702dea7f0ec70fb07a8aec00a0ac0bdd33e849f4816faac2869f453c181c

SHA512
704deed37a56605a0b95bc6a7e1ffcebff10b474af6c47495f395bcd85e4125ded8d5039088b71387ee75f6d7a1f656b5479b0ec151aaea75eff0d2cb669b9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
254B

MD5
a6fc5972d142fd74da41de5b0c86c553

SHA1
74c551de9a4782b40bbb3f95e9b4b97866f417da

SHA256
979d325a7f8b25b065f0335b5174b44bb167eadb2d0d94ba384a8fb6368b2ba1

SHA512
f25c2e2debc056dcd7ea87b287b8f3c665e28ae91833f8aeb043bc05a7244e716bdfffb385d7f93236cbc39983b8ec58e8010b5829e44ddee56ccf11122a0a87

Download Submit
memory/640-12-0x00000000004F0000-0x000000000051F000-memory.dmp

Filesize
188KB

Download
memory/640-17-0x00000000004F0000-0x000000000051F000-memory.dmp

Filesize
188KB

Download
memory/1040-0-0x0000000000C50000-0x0000000000C7F000-memory.dmp

Filesize
188KB

Download
memory/1040-14-0x0000000000C50000-0x0000000000C7F000-memory.dmp

Filesize
188KB

Download