urelas | 10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0

Analysis

max time kernel
150s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe
Size

399KB
MD5

dbdac103db46cfbe2b5762de21b6536e
SHA1

f5121d5fba25bc379fc50b82c19f08bccc849a9e
SHA256

10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0
SHA512

b407fc4179999357cc1f328e57ef275ef883aeca11b8583491a6bfb64af6c48eabd0640b1bfb1b6e7f9671ac75c8c7ef40fe655993be8fc6785c1e68bbba175e
SSDEEP

6144:Osa1jZVgy03se7k5kBTTg7YMz6j8GuHEqqtKKUrBwj3bdRZ0UG:qtVgyuse2kBXg7Cj81cKK7jB4

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	jyzab.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	jyzab.exe
4632	leqen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe
4632	leqen.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2840	2448	10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe	86
PID 2448 wrote to memory of 2840	2448	10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe	86
PID 2448 wrote to memory of 2840	2448	10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe	86
PID 2448 wrote to memory of 1148	2448	10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe	87
PID 2448 wrote to memory of 1148	2448	10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe	87
PID 2448 wrote to memory of 1148	2448	10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe	87
PID 2840 wrote to memory of 4632	2840	jyzab.exe	97
PID 2840 wrote to memory of 4632	2840	jyzab.exe	97
PID 2840 wrote to memory of 4632	2840	jyzab.exe	97

C:\Users\Admin\AppData\Local\Temp\10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe
"C:\Users\Admin\AppData\Local\Temp\10eb75ed6f0669230cadd78089dcba5cd4a849e512f71053e955f6ce0c812ca0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\jyzab.exe
  "C:\Users\Admin\AppData\Local\Temp\jyzab.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\leqen.exe
    "C:\Users\Admin\AppData\Local\Temp\leqen.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f25fdcb6c98b93c9e3ebbd912c5c6a32

SHA1
2860bd98b65cec8e46a73007d4261a5dbd99463e

SHA256
45c8be078b62f753f820d0f9f5e4f5fcea0eb21614ae5d65b690a84580b03b3d

SHA512
9ac17f3440a1d7b609ed562a25c4f1bc33029a3a88ee771c89fc2926972905c5236ca35bd1dbb94c03c6e58915c0fae7b3be26cf1a9f5bce261e41d3157eabc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
caa002ca7e2bb5593199110156669e5c

SHA1
83c545c1120127421b4af66164668034ed00203f

SHA256
595e5788f830a7dbd394847e808b80cb3e939dae88bca1c47ac7db0658ebe784

SHA512
10f4f4c2b238be6a0ce20805387ddffe0c393d89a315ec276a99308c7dace9738c0cbb06001a2c9d94aa15a7857e259345263e43385cbbb155f4bc18d717c445

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyzab.exe

Filesize
399KB

MD5
ed0c6f67a5c2f075d590d26f04c71157

SHA1
de635d012378a85e9dbebad4f735fca29b1dfb9d

SHA256
50fe07c51797e9511a845ce73889884d99ab04a358f715ed706d0710c906e751

SHA512
8e54a681bfecae663df5d604ade4a64feef022617c89026fbe95cfd398ba352a74a2e78146cf456b1b24e7efd273d5d0a2215de2e6a613e0728f97251dc3efb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqen.exe

Filesize
206KB

MD5
ef43ddbdf3374bc375210026efac8b92

SHA1
3cbd39b69d661581c4dd4667743bc9df6217c010

SHA256
5ff32b6466b8b5ec48d15c02e9a28f6735820ed909e0467b98a3e1282b674853

SHA512
3fa5be86c5a443c50dedba1f84e0677b6999ab79e1cb2a82d828136c7e38824d58c32c1c7bdfbbc3b1fb6a171eb29739e531f71e8720fd0a8a52697a5270a7d6

Download Submit
memory/2448-14-0x00000000008E0000-0x0000000000949000-memory.dmp

Filesize
420KB

Download
memory/2448-0-0x00000000008E0000-0x0000000000949000-memory.dmp

Filesize
420KB

Download
memory/2840-12-0x0000000000B30000-0x0000000000B99000-memory.dmp

Filesize
420KB

Download
memory/2840-25-0x0000000000B30000-0x0000000000B99000-memory.dmp

Filesize
420KB

Download
memory/4632-26-0x0000000000FA0000-0x000000000103B000-memory.dmp

Filesize
620KB

Download
memory/4632-28-0x0000000000FA0000-0x000000000103B000-memory.dmp

Filesize
620KB

Download
memory/4632-29-0x0000000000FA0000-0x000000000103B000-memory.dmp

Filesize
620KB

Download
memory/4632-30-0x0000000000FA0000-0x000000000103B000-memory.dmp

Filesize
620KB

Download
memory/4632-31-0x0000000000FA0000-0x000000000103B000-memory.dmp

Filesize
620KB

Download
memory/4632-32-0x0000000000FA0000-0x000000000103B000-memory.dmp

Filesize
620KB

Download