urelas | 7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe
Size

463KB
MD5

e0ada6ad8b630e3a025fa62c846a1346
SHA1

84132766b6ecfd33760c40ff23f9abe286902944
SHA256

7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614
SHA512

b4afe28fcae4fdc29be8aef9c3c73d35e78559cc4117922850c6eea71b506b87ce8b2b518c24497c8d5654227217f21741e04f74022cdcb00062d2765a25425c
SSDEEP

6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpms:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsu/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sander.exe

Executes dropped EXE 2 IoCs

pid	Process
4572	sander.exe
3096	ctfmom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe
3096	ctfmom.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4572	3268	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe	86
PID 3268 wrote to memory of 4572	3268	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe	86
PID 3268 wrote to memory of 4572	3268	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe	86
PID 3268 wrote to memory of 2660	3268	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe	87
PID 3268 wrote to memory of 2660	3268	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe	87
PID 3268 wrote to memory of 2660	3268	7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe	87
PID 4572 wrote to memory of 3096	4572	sander.exe	104
PID 4572 wrote to memory of 3096	4572	sander.exe	104
PID 4572 wrote to memory of 3096	4572	sander.exe	104

C:\Users\Admin\AppData\Local\Temp\7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe
"C:\Users\Admin\AppData\Local\Temp\7d8b01e27861c2cca4d683a3934509c01e5390dddb1c49e01379029c84b41614.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
4f2d8dd0ff0913366cfe1cc6f9758921

SHA1
c8fa363f87cc0fb225c3a954c9f72860424b809a

SHA256
67de4145656a5bdd3e986e1256391fd360fc93df3bcc584984c990af11c1eb0b

SHA512
32228b6b20f1d6b7834d19f3a6442896edc2c9a63faeed19f28febf6bda7b7062218678aa8c967a5262b0d640d1181af47f777fcc38f42fe229a2b20b9c6c84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
68da7014567b80a32887a9a86edb32d7

SHA1
dc4094941bbefeb2096a36f46fcd1928a5c7a8af

SHA256
434518e315ffa354c5fe743740b1fd542bfe46cb737740cfe61ef079a825349d

SHA512
3a90fd7f6221ba114cd8b866b59af4330dc97216e84cac02c78b854235a58c11cb0c55a22db6403681823031cfa53e40c7d37ff7f5c6399e42db65e332e376ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
463KB

MD5
ad9113c88a00df8cdbb35d31cb002d50

SHA1
e6656650af54c4db0556560656912f18583289cc

SHA256
0632f6bd443e22230577c2938bb144160b0ee8d6ed44250bda75a9036fcbc6ce

SHA512
13822fe39573649049583eaf6d51d39d1c1fcd89e17386a7ac0b57964ef6f8c676c4428f90402ec85a24203f71c211d4e0603a18ac2fa538f0c0ac286e95363c

Download Submit
memory/3096-28-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-37-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-41-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-40-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-27-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3096-39-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-38-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-26-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-32-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3096-33-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-34-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-35-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3096-36-0x0000000000540000-0x00000000005E1000-memory.dmp

Filesize
644KB

Download
memory/3268-14-0x00000000000F0000-0x0000000000172000-memory.dmp

Filesize
520KB

Download
memory/3268-0-0x00000000000F0000-0x0000000000172000-memory.dmp

Filesize
520KB

Download
memory/4572-31-0x0000000000770000-0x00000000007F2000-memory.dmp

Filesize
520KB

Download
memory/4572-10-0x0000000000770000-0x00000000007F2000-memory.dmp

Filesize
520KB

Download
memory/4572-17-0x0000000000770000-0x00000000007F2000-memory.dmp

Filesize
520KB

Download