urelas | c1e416b5ef92bb83151b2033bb85771ab1ff9d6538c774bffd2da862c250dc9e

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 18:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe
Size

597KB
MD5

71ca76e53b3cf6b0d0645516599f6866
SHA1

e3469fb09232a1d59693ac4dda46205567d51410
SHA256

a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914
SHA512

d9e45182d9107cfbd9b1046e755e1719e914ee3c9840657626950a70cbf410f142c41512cec10c31d02bcc2000d9aff1403ff4945f0eece89917b6f5197794cd
SSDEEP

6144:KzU7blKaPcbhj+bB7ktZeRnVDJm0oNjOPdInpBH:MU7MLb4BQkntwNjqd2

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ojvuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe

Executes dropped EXE 2 IoCs

pid	Process
4496	ojvuw.exe
2440	ogluz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojvuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogluz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe
2440	ogluz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4496	4784	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe	87
PID 4784 wrote to memory of 4496	4784	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe	87
PID 4784 wrote to memory of 4496	4784	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe	87
PID 4784 wrote to memory of 2396	4784	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe	88
PID 4784 wrote to memory of 2396	4784	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe	88
PID 4784 wrote to memory of 2396	4784	a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe	88
PID 4496 wrote to memory of 2440	4496	ojvuw.exe	99
PID 4496 wrote to memory of 2440	4496	ojvuw.exe	99
PID 4496 wrote to memory of 2440	4496	ojvuw.exe	99

C:\Users\Admin\AppData\Local\Temp\a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe
"C:\Users\Admin\AppData\Local\Temp\a56f581e5702649e6e049130a90f9beb954acc90fc5d060366cf4de35b493914.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\ojvuw.exe
  "C:\Users\Admin\AppData\Local\Temp\ojvuw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\ogluz.exe
    "C:\Users\Admin\AppData\Local\Temp\ogluz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0bebb2d5c7a81c58dcff2638ffd56c53

SHA1
0f8878425868b9c95445b1eb773a625f3d834234

SHA256
df969d5f0541673e53f5d8a9fe825eedd20bbf969a30403e8d2d3ad0082e5e7b

SHA512
04bbc369762cdd4be315985ca964c97d048195e46e133fb9681f35db1c1904405d44b3137a29dfc153c0f44ae2f4e59de3cedbb2973f9d77f7d7fff005c2e9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8b700351d8c5cdc30abf8ce33aa51a88

SHA1
26489f12a0e70bc6e7e14e18b9f6d79f94a49015

SHA256
72351df0b69e746bd83cf671b8ff8782e0cf46bc8d683ba19e03ce4d34170770

SHA512
798c9c6d78b110a255a8907b9c5059040ca33fffb150949388b3789dd71f3783d42fa3717658b102710a2707b91a3863a0d497d7c194877a2dd55fa1f6fb304e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogluz.exe

Filesize
211KB

MD5
495626ca89abb2a6d84de4096f2a93a7

SHA1
7b622298cbc79594203b6c2de996a4df35ff2102

SHA256
6f779e9e8c1f10de5723bdb63776209deb67a0f2c1be8f46c310c3b8f44e21d6

SHA512
590d79b0f11ffd99671bbf51a38240e748a1ba472fc01e0add011c9480200a9145571aacee34b395a6e34c53027f628013cc87cf3e3bfce0cb78d44c1315a2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojvuw.exe

Filesize
597KB

MD5
be7515dab2f4c62bb36c853f4cd6cb2a

SHA1
42d6371da30ad1b6b32d2cc59f62516e2027865d

SHA256
75d5202138f7dd77634ac13b7bf4b154e5b205d4f5486f823896084504388fb3

SHA512
177c6a002a5e2b6f08b50874d457bb3c5db023410256d7711b0ac42c96ae44f9fe7348b3cf64522f1139b76dd82775a22cf539745176777a312abfccb13e5ea6

Download Submit
memory/2440-31-0x0000000000EE0000-0x0000000000F91000-memory.dmp

Filesize
708KB

Download
memory/2440-27-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2440-24-0x0000000000EE0000-0x0000000000F91000-memory.dmp

Filesize
708KB

Download
memory/2440-30-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2440-29-0x0000000000EE0000-0x0000000000F91000-memory.dmp

Filesize
708KB

Download
memory/2440-32-0x0000000000EE0000-0x0000000000F91000-memory.dmp

Filesize
708KB

Download
memory/2440-33-0x0000000000EE0000-0x0000000000F91000-memory.dmp

Filesize
708KB

Download
memory/2440-34-0x0000000000EE0000-0x0000000000F91000-memory.dmp

Filesize
708KB

Download
memory/4496-16-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4496-26-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4784-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4784-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download