urelas | 56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313

Analysis

max time kernel
98s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe
Size

168KB
MD5

c4fd1a2a1454b47763044537512fc850
SHA1

f1b765caafc9383770589afa294ce6001cce30f9
SHA256

56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313
SHA512

548c90238039fa7c5b59e99310142eb25205cac2ae6ac0084fbb205796ea3f9a6db6d2b97dc0d90b0717b3693d8bc15fdf8c7399016e2794b30a1bbd99a5d09d
SSDEEP

1536:eADA0Wbt1931D2P7BWLQ4zR4LUKMcPHFE3HP/GTW65CGEgvpxyTf/K:eADA0Wc7UJ6LZMaHLW65DE8pxWq

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2652	1188	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe	91
PID 1188 wrote to memory of 2652	1188	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe	91
PID 1188 wrote to memory of 2652	1188	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe	91
PID 1188 wrote to memory of 2316	1188	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe	92
PID 1188 wrote to memory of 2316	1188	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe	92
PID 1188 wrote to memory of 2316	1188	56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe	92

C:\Users\Admin\AppData\Local\Temp\56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe
"C:\Users\Admin\AppData\Local\Temp\56a74e83d8e3c75a7bcc8d96a62e8888acc28e70bb83b41e0227a2f03e0e9313N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e9bde5b44e2cc18d88ff2ee2dbc7081c

SHA1
b2eba2136f52d53ff3f60541bc79e7b217d0b268

SHA256
53c25f3ea9f537bb7d5accae21cbc5c9ef83e4bdf52143201ab08b69403b489c

SHA512
573357570a89779fc2984dcc70639460bc8d0cfc6d3a0a37d0623a5804630e804b34671b0f98765b9f7a68b04aa550ffbfd9ca69f6157cff1c826466943bfc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
168KB

MD5
51c539369e25937f9402b7554c3a31ee

SHA1
c5648ae3aea5c592d867d4bfa2a945adaf86a7f0

SHA256
c03aa14bc13565bfd208d128a6822551655314e44f2861ca9837545321c4fabf

SHA512
3d41d803ab68aafd1a5ae1a40a552d953dd32c13b758e4db9152e0cc4d4d83de6617d1e7024d5254f4c065274be33db533d5f2dbc378157596251f279eac84a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
c69ab3dd3d74ed523e368c9631add662

SHA1
af4d4a37751b4df211e1c2b1ef77988dc4564eb5

SHA256
b3e30a46b40014a4e32190cefcf83ff5cc3f1ff522bf066d9ce3237bf8f74850

SHA512
d850df577fa2146c8c224d6e97439ab845a1e6c97b718b6873258c260aa59bcb8ac56d15f06a0b8b7af75cb4677f34723ff42fa4c10b16788ea627b8238fb1b8

Download Submit
memory/1188-0-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/1188-14-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/2652-12-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/2652-17-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/2652-18-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download