urelas | 5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1e

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe
Size

94KB
MD5

ac2b568e1dbf238ea91ee2bdd46db1d0
SHA1

93f75123f3b5b7ff62805b88ffa11b6b932fb120
SHA256

5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1e
SHA512

2b47a240eabdd7a9806e1531f0a09cb96498237930b7e36fc939769b445621e3afc6f09c766b3ea7c347cfe3c859506a2f97129461e854d5b70a5b0e3f79742c
SSDEEP

1536:nwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M9co:nqV9MziU4piRun7C3CP3MT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe

Executes dropped EXE 1 IoCs

pid	Process
4532	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4532	4456	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe	82
PID 4456 wrote to memory of 4532	4456	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe	82
PID 4456 wrote to memory of 4532	4456	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe	82
PID 4456 wrote to memory of 1820	4456	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe	83
PID 4456 wrote to memory of 1820	4456	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe	83
PID 4456 wrote to memory of 1820	4456	5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe	83

C:\Users\Admin\AppData\Local\Temp\5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe
"C:\Users\Admin\AppData\Local\Temp\5b07e78224332d18a4dd62abcf09213edbab86467be494abe3aa571857eb2d1eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
94KB

MD5
9c7e60f98bf6603f1ae4f6b98c303ac3

SHA1
2e64c43e748bb854023a83f354392a2d875353c4

SHA256
3ca558749dc37ede109412946f2049dd7df3bfb6e04dccd1c36ddc0ac33b71d2

SHA512
e3dfbf0f578c33f264448381b4964f63d13341f9a9f69aaae8ff176b41d53a956e62640d8d519aca814cf88383083db72613f051d0ec218e0fcbde0946d63872

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
23ad5ac14795ef275611fbdc70531902

SHA1
ac1b8166966cab38ce0f688d2c458d42ce665ca4

SHA256
44ef568f70b3bc36752338dcdb299d7226c1524e7aacc12653256fce0e9342a3

SHA512
c28359da8c5c7674bd3be3f201064b9164ecf0a522a6e17a5b7eff0611728367e13171d9e1e9529c94b0cbd9f240672c98283dd5788450289a5db6452a1428d6

Download Submit
memory/4456-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4456-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-29-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download