urelas | c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe
Size

77KB
MD5

3111f9fd6eba6b81f2b694d4bc429ef9
SHA1

4c507d0e044b5e2ef1789c84103249a80d1397f6
SHA256

c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f
SHA512

00f517dc8f922fc4553f6ddacc8a6d3abee0271780739c19756ead94b11b3edfc1d4e03e4c0ef92358827d6f53c8106ae10f015be9c056af20be6ecc1e22a48f
SSDEEP

1536:1D433Oe20lleqbmruXP+9E5KJ+e8Xwhpf5:1Dcpl1mrE+EeBJfB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe

Executes dropped EXE 1 IoCs

pid	Process
860	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 860	1524	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe	83
PID 1524 wrote to memory of 860	1524	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe	83
PID 1524 wrote to memory of 860	1524	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe	83
PID 1524 wrote to memory of 64	1524	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe	84
PID 1524 wrote to memory of 64	1524	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe	84
PID 1524 wrote to memory of 64	1524	c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe	84

C:\Users\Admin\AppData\Local\Temp\c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe
"C:\Users\Admin\AppData\Local\Temp\c227e2aa0b489c19454d09b03a9a634d5efc7ce2b119bde44f91eba63eed8f4f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e9bde5b44e2cc18d88ff2ee2dbc7081c

SHA1
b2eba2136f52d53ff3f60541bc79e7b217d0b268

SHA256
53c25f3ea9f537bb7d5accae21cbc5c9ef83e4bdf52143201ab08b69403b489c

SHA512
573357570a89779fc2984dcc70639460bc8d0cfc6d3a0a37d0623a5804630e804b34671b0f98765b9f7a68b04aa550ffbfd9ca69f6157cff1c826466943bfc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
77KB

MD5
9cd5664ed4f1e2983a2b6205eb9b6661

SHA1
85015f99fe8381ced7d47a390bb05bc560a4c4e6

SHA256
e5ded6528ce1d3fa622d587c6479b4615d313735d2a721f323178740fb5b7c6f

SHA512
b45f393bb36c5105144f36294f2ef2dff14c664eac90f58c2f130d3060e913b655b7c26e8812a4180dc4f3c545f97b3b7e0084f68348cf987d2ad39473a9d71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
efeef9994eff51e00355175f7f318566

SHA1
03567ad4ab137ff2d3ff707fc0069768e4fa4747

SHA256
df7457db554cfbf110be6915264548b7683cda03fefc1a77ba7523564acadfef

SHA512
aa87544bc2c12f3177ebc7bddc86450e345873749b936e448aed69a132685c5a484c18d68bf08452b4efd2c311b721c0cccc59fa2966a87cee272bc426f91a39

Download Submit
memory/860-12-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/860-18-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/860-20-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/860-26-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/1524-0-0x0000000000F70000-0x0000000000FA0000-memory.dmp

Filesize
192KB

Download
memory/1524-15-0x0000000000F70000-0x0000000000FA0000-memory.dmp

Filesize
192KB

Download