urelas | a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe
Size

52KB
MD5

9af13eefa1c43616678857117e2d15c0
SHA1

d1d903a3562799fd09997feb404a77797c54a7ca
SHA256

a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266
SHA512

fd42c3164671c4657073de765ef0a9fbbc41f678aff04fc6ab8527ccd38cc549a6c75fb07afa7f54fe2e17d8343c5ede10c1b87eac81dda4e8b44f89eb2814e1
SSDEEP

1536:h+Ds6ClDXuqweo/0khAUnJDgabGsVy6umfFlPhPCp:KsdXfBo/DBJBGzkP5PCp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	shoste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shoste.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4704	4400	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe	82
PID 4400 wrote to memory of 4704	4400	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe	82
PID 4400 wrote to memory of 4704	4400	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe	82
PID 4400 wrote to memory of 2548	4400	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe	83
PID 4400 wrote to memory of 2548	4400	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe	83
PID 4400 wrote to memory of 2548	4400	a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe	83

C:\Users\Admin\AppData\Local\Temp\a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe
"C:\Users\Admin\AppData\Local\Temp\a70689fe56c2ed6bec88c4d70cf276641be871dbe971222e1bea14cac2bfa266N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f51c1462254f3bb8aa00201af0b0a030

SHA1
60d3c892bb5c4f654c318451012f936d81164418

SHA256
695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5

SHA512
41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
a6cb48da762a21859b553c6c3a2bf5bd

SHA1
2f08df74d0774e6f44827f683b56fae1321c0c95

SHA256
35c3d76dcdf71a157dbd8537195c076d1af4fd48f4325eb94d2a66d0f7714aff

SHA512
1bf4a00e7333f150bc3ba0950eb2d99d55b39eb81d1a99319b02709cd9a5842ebaf98e2b448f5774114c9e7eadc361e9c9f532b6043e288a5e2ae647722d2655

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
52KB

MD5
8ea8b30e47787c2538526b89a1ea1a0c

SHA1
fd8b75802da141bec9b0102fba916278ac9ac10c

SHA256
589a7cff12e100df9e12d767d691f2467a58fa04d4cd9ab3e0783c32137291ad

SHA512
c233037e6aec5da4e70200a0efb3efb37727bf38b5fad59df101a2a5baa1505b202db4200b87dfeaf84326653624eb8f78066e381f45195607dcc74264af1e7c

Download Submit
memory/4400-0-0x0000000000450000-0x0000000000485000-memory.dmp

Filesize
212KB

Download
memory/4400-15-0x0000000000450000-0x0000000000485000-memory.dmp

Filesize
212KB

Download
memory/4704-12-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download
memory/4704-18-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download
memory/4704-25-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download