urelas | 59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe
Size

76KB
MD5

f2bc391f02e9589972e233b10db8e9a0
SHA1

d4c7c8909e6e107d6b81a5fa006e90962843e511
SHA256

59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7
SHA512

02e062a9172a1fd4a5755a5c5183b7c6f59e8761977ae1652f4a27bb0a5f46750f41b3384acb6e843da792f18ea05da0f393e18e6808d9d7d3e48fc31a9ba2d4
SSDEEP

1536:+Uk8RgDXz7Kx8zzgmTlvtKrNCpbXmsz4tHITZ:Tk8yn7KdmTINQXzz46

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2000	1596	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	82
PID 1596 wrote to memory of 2000	1596	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	82
PID 1596 wrote to memory of 2000	1596	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	82
PID 1596 wrote to memory of 2884	1596	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	83
PID 1596 wrote to memory of 2884	1596	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	83
PID 1596 wrote to memory of 2884	1596	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	83

C:\Users\Admin\AppData\Local\Temp\59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe
"C:\Users\Admin\AppData\Local\Temp\59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
76eaed1cdcaa3e93de67dd5f94abb63e

SHA1
c0e0ff36484832ed8fd69b50fc2d2691811f218b

SHA256
fe485dd700b9b8c95e9de719dc1eb9ecf25b8f554fc23a3baa679ff12aa173b5

SHA512
bcf04a4f6e80db17fbb6d9be2b9c5722cd2118a6dbf4b2fc8a438efd8df1085fbc2a08047d1aaa909095f48294c2bb454ac66d76110deb6b6ec153b8a1a5511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
0d7a85d263d3c442f0e9ac0766fc9174

SHA1
378e83483ff25d233b36e84e6ad8df06d725025c

SHA256
3c975495d322acff9610f6b9c1e090df6491b6bc39bd0a0015cdd2a90352e6e0

SHA512
1f718a3a7ac6ab990bfc4f41b55806cd0ab8858bd77cdd04bac3cafa5ff23981a61f79f3d38a1598c57e234ce8a0dae4ec418af8503b024b75cc91f756b7ff4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
8c717a8587c9d6249019cf0301a65ac4

SHA1
072d63c3648a323b62c0ea2ca813ecb51a155f5e

SHA256
d6b158c378cfb3dd82c78bd156b5e3335f1b72bf2f2a38d8f39a519bfcb56deb

SHA512
68fe471e304353e34a5b84807d89ad55b4711cd1590f322e6def7f40da25f8abb4c4f2770a84b5fd369494d9078733e2d5a3db3ef4347899a7603e8c371c7861

Download Submit
memory/1596-0-0x0000000000D30000-0x0000000000D5F000-memory.dmp

Filesize
188KB

Download
memory/1596-18-0x0000000000D30000-0x0000000000D5F000-memory.dmp

Filesize
188KB

Download
memory/2000-15-0x0000000000E90000-0x0000000000EBF000-memory.dmp

Filesize
188KB

Download
memory/2000-21-0x0000000000E90000-0x0000000000EBF000-memory.dmp

Filesize
188KB

Download
memory/2000-23-0x0000000000E90000-0x0000000000EBF000-memory.dmp

Filesize
188KB

Download
memory/2000-30-0x0000000000E90000-0x0000000000EBF000-memory.dmp

Filesize
188KB

Download