urelas | 653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe
Size

93KB
MD5

9ad3c3f8b3ea9acc79311422bb59d2da
SHA1

97f19c8de3bae716769a8c5a4943df974b578b6d
SHA256

653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce
SHA512

08fa0bb96d4e0bec84704b557323d19bd49db12aadf522c63ad2d5e2d8f5f94bd5ea248ad8fd36c2485892f535fdb8bb64b05168426953eaff8a35ce7e07f1d0
SSDEEP

1536:iDJj/L6UWX/iDdolO4g033dsA2+n1qn1iLdB6XC:iDJj29G4gItR7n1qn4LdoC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe

Executes dropped EXE 1 IoCs

pid	Process
4408	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4408	2808	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe	83
PID 2808 wrote to memory of 4408	2808	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe	83
PID 2808 wrote to memory of 4408	2808	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe	83
PID 2808 wrote to memory of 2648	2808	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe	84
PID 2808 wrote to memory of 2648	2808	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe	84
PID 2808 wrote to memory of 2648	2808	653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe	84

C:\Users\Admin\AppData\Local\Temp\653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe
"C:\Users\Admin\AppData\Local\Temp\653e5c630d326fb3e5881ac6887c1b382d76afe32e7445688793746edc3977ce.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bd60c62717a862c75bbe8c97f365be39

SHA1
bf0957b47d8a44f51f9e9680c4e06710edc91b1b

SHA256
40afdaa0bdbd385e5c0f0c0899eb8dc107877ab9d815d7b8885bd4c3f1e34873

SHA512
8d2fc5df78c3badb96ec1c1126366c25a235f9487b7a6754abf9d9b47ece7a70a187b45ada732aa14f63f1f9520b01432f0ba1b752775e26fe8b892848a01825

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
93KB

MD5
57275328f2ba2a1cf295724b3be28d0f

SHA1
33a9bb7b1d5f0f5076feb95f052cb7565340479a

SHA256
9542b0c09ab65c7ed91a9e5d7a3748c93f2de3bc9d69b343e9fc4747e22fc8ff

SHA512
2f52508386758ba4c58c65805775440ac7d2ab7a5ae879184715341e5e1e588c17c625be9b5993fe5b4461f2ab7a3dee6a641eacdcb1114cfac43d23adf46b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
2f02154156e741e52ed4f4d309714011

SHA1
b1b17f1772547bc5f49455957124ce96036fa881

SHA256
ea31404127be0a9327592deb9b3d8b4046c2717556cd5b990be269b80396bf9c

SHA512
78e774e931c10c5ed9d186451aef178e53fbcc58116c9d68d79b879e92737b4be964b35ac180eb6a2694eec9d24687e1b72f6a4f1fa96f97ea117d0f389f902c

Download Submit
memory/2808-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2808-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4408-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4408-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4408-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download