urelas | 2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870da

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe
Size

75KB
MD5

cd32ae4b366337014b1272d4555117a0
SHA1

7ea4b34ec103835f9005566a84646458e635894b
SHA256

2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870da
SHA512

75e818488240d6e3fe980afaf1933e203fa0c5a9fa18ff9f111cd5b6a238c87f6b3718a7b305bc2382e338f0465309ef8e89d2e2453c7df434625ad0702ea819
SSDEEP

1536:+Uk8RgDXz7Kx8zzgmTlvtKrNCpbXmsz4tHITo:Tk8yn7KdmTINQXzz4V

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe

Executes dropped EXE 1 IoCs

pid	Process
112	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 112	1120	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	83
PID 1120 wrote to memory of 112	1120	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	83
PID 1120 wrote to memory of 112	1120	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	83
PID 1120 wrote to memory of 4932	1120	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	84
PID 1120 wrote to memory of 4932	1120	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	84
PID 1120 wrote to memory of 4932	1120	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	84

C:\Users\Admin\AppData\Local\Temp\2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe
"C:\Users\Admin\AppData\Local\Temp\2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
76eaed1cdcaa3e93de67dd5f94abb63e

SHA1
c0e0ff36484832ed8fd69b50fc2d2691811f218b

SHA256
fe485dd700b9b8c95e9de719dc1eb9ecf25b8f554fc23a3baa679ff12aa173b5

SHA512
bcf04a4f6e80db17fbb6d9be2b9c5722cd2118a6dbf4b2fc8a438efd8df1085fbc2a08047d1aaa909095f48294c2bb454ac66d76110deb6b6ec153b8a1a5511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
75KB

MD5
7c3677049b0b510ea462e8a0837d069f

SHA1
43d23adc42b14fbb7b206e9b420dbbc42c3ea73c

SHA256
8c796d04eb7ee4c2177a1a90e1125fc66cd7e252628e76c011b8fed5cd41df2e

SHA512
a67142b0b8c6a010c4bd5fd89df6a86736bb8777c0bc02e91cfda913c25775284489f18d6554a9c7b8fe8e7bdd9eab063f73596e6cd260bb4b625ff3f821aef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
7c1682ad30ef63f0047e1ff02531ce89

SHA1
7cf164e6fa8ce052d7149e836a1c1b9c823ddc82

SHA256
af47b9a19c28c9bbb02c0eea340c0196644bb98bf856fef0d03c19e356c2b90c

SHA512
ab51ec3a1d980bab469ad1e6e4702caa35b3febfc9a7736bf340d485495b5e75e0db6f77da37f0f451a01a528e431bcb173ddb9ccb9b7fd2fa33d890c3b50265

Download Submit
memory/112-13-0x00000000007D0000-0x00000000007FF000-memory.dmp

Filesize
188KB

Download
memory/112-21-0x00000000007D0000-0x00000000007FF000-memory.dmp

Filesize
188KB

Download
memory/112-23-0x00000000007D0000-0x00000000007FF000-memory.dmp

Filesize
188KB

Download
memory/112-29-0x00000000007D0000-0x00000000007FF000-memory.dmp

Filesize
188KB

Download
memory/1120-0-0x0000000000410000-0x000000000043F000-memory.dmp

Filesize
188KB

Download
memory/1120-18-0x0000000000410000-0x000000000043F000-memory.dmp

Filesize
188KB

Download