urelas | cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
Size

336KB
MD5

785a5215521aebe5a451ea71a9b08584
SHA1

f84373aea04589873857b5ea2023d9e95f9c32a0
SHA256

cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605
SHA512

752d5fa610fa49e6c13596a61295cb0beeefffc593ce5369719be9255f9d4a70896bfc10e6b244df526ab68b5d8ed4e1bc15dbcbb610ec0bf8f663a58ebf76a7
SSDEEP

6144:GLtOexihqv4m+lXD6betiTuBMTWjIDIiUBAkW9UOKMOtzWO8CatspddODi9w:GL1D+IatauBML42MykRa6p6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	kozax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	zobiij.exe

Executes dropped EXE 3 IoCs

pid	Process
2940	kozax.exe
3504	zobiij.exe
4112	risoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kozax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	risoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe
4112	risoh.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2940	4364	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	84
PID 4364 wrote to memory of 2940	4364	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	84
PID 4364 wrote to memory of 2940	4364	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	84
PID 4364 wrote to memory of 5116	4364	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	85
PID 4364 wrote to memory of 5116	4364	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	85
PID 4364 wrote to memory of 5116	4364	cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe	85
PID 2940 wrote to memory of 3504	2940	kozax.exe	87
PID 2940 wrote to memory of 3504	2940	kozax.exe	87
PID 2940 wrote to memory of 3504	2940	kozax.exe	87
PID 3504 wrote to memory of 4112	3504	zobiij.exe	108
PID 3504 wrote to memory of 4112	3504	zobiij.exe	108
PID 3504 wrote to memory of 4112	3504	zobiij.exe	108
PID 3504 wrote to memory of 3100	3504	zobiij.exe	109
PID 3504 wrote to memory of 3100	3504	zobiij.exe	109
PID 3504 wrote to memory of 3100	3504	zobiij.exe	109

C:\Users\Admin\AppData\Local\Temp\cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
"C:\Users\Admin\AppData\Local\Temp\cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\kozax.exe
  "C:\Users\Admin\AppData\Local\Temp\kozax.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\zobiij.exe
    "C:\Users\Admin\AppData\Local\Temp\zobiij.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\risoh.exe
      "C:\Users\Admin\AppData\Local\Temp\risoh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d7581919afe46a28bbcdc6e987968c0c

SHA1
29bbf6af4f4d8913d9da46dfacbd578921272cc4

SHA256
70d70c1b1d4d778430c904fdff9f6c9301126c8d9482c5c4aa777fc9b4771df5

SHA512
348105ab8f6aa2d9c95ece270574de4d57fd845991d045daf7c4c0682f220a79210ab9d127beb24cb4059310b6e3af8a4d99f0a606c913a5cac859eef533969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7f9a8299d2db5361e4bb0d66a577cecd

SHA1
60f42cbeedaeac6061355739a6d5235774c88d49

SHA256
96f88ffe17b1e97f758f3f5141b3548f494006ea865db080ac35a779000de962

SHA512
59b38493003794c34bbc0eb84b28b8d27825e1aaef78a2181569f07b68966140b4977cb575df751c95d16fe714b1b502c415b368a8052830bcbdc0e20a54b415

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
896dfeadafd9acbbf34dcc5108195005

SHA1
cf0c3bb75671f13bac3b1756fa117962aabeab5d

SHA256
8da07934a5b4d5817f3b786d5d52e055dcc507e3ad4bfe50460fa6603e328413

SHA512
7446e246bd08c03da634e2e6213b4eed55305d4db7ceb45f84b5f3434799fd2285cde48b9e5d8a7b269a901a5f621af92431151e68a6a8c464a1ad7285d25e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kozax.exe

Filesize
336KB

MD5
f833854b181789cd6d6d2ad7c1c1bda4

SHA1
cf10aa8f2eb36b47eeea63d5576ad7f8e4e35dd6

SHA256
c6ec26847855de87dddb3ff7d345cd188aca2e91484dcb9acfd582e24be9c92d

SHA512
e27ef972e4cab32c1011afe89f98ab8b5c65a84003b501109a1c3a9c03aacf5d3fbf03b53e1c78738cfc1a5e805dd7533a52c53d89f253e0d0f9ce711c0f1a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\risoh.exe

Filesize
223KB

MD5
d6a30aa9c8f7c87843979bb70035f006

SHA1
73a85040bd04262dea1c2a9ccac350430fcd50bd

SHA256
ea02049650131ed35f44f4de3bd491872bf173453d56ce3004b581815dc392b3

SHA512
2d3630cd0d9d68e526c9670ebff3e3651cad4cce15dd5e7390dc58474cbf7b9fb88b05ce3761831c96e5ba6229449d29971f7c5c984fa08830d4dd9dd281f69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zobiij.exe

Filesize
337KB

MD5
c5ba752500fd4fdf68d8e46174b9b8a3

SHA1
ef6be9cf8dfb2bd6524d0d7d558b42a54b4e4e32

SHA256
9f6d3a86d9043ddb6c9d8213debab64e8d9b9fe29bc5ad645928c3b89eabe5a3

SHA512
fc0b42c028d40625145cea2b67bfcff8171dd820e5c89cd2406c464a4e4f02b8d366a5fda2f7ed6a933a2113e7f6ddb70a0a7ab53964c5b54366b9b301d2c20e

Download Submit
memory/2940-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2940-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3504-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3504-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3504-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3504-54-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4112-50-0x0000000000310000-0x00000000003B0000-memory.dmp

Filesize
640KB

Download
memory/4112-56-0x0000000000310000-0x00000000003B0000-memory.dmp

Filesize
640KB

Download
memory/4112-57-0x0000000000310000-0x00000000003B0000-memory.dmp

Filesize
640KB

Download
memory/4112-58-0x0000000000310000-0x00000000003B0000-memory.dmp

Filesize
640KB

Download
memory/4112-59-0x0000000000310000-0x00000000003B0000-memory.dmp

Filesize
640KB

Download
memory/4112-60-0x0000000000310000-0x00000000003B0000-memory.dmp

Filesize
640KB

Download
memory/4364-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4364-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4364-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download