urelas | 680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
Size

329KB
MD5

7b3bf7bfd2f0a2aebfa9fdcb9f086770
SHA1

07b2ba679d18619d522fa3be509f2c2e00b24789
SHA256

680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e
SHA512

b28c22a9a014a059d6fcadeefa97da1c318abacb6b52f85970661b049d5d09c3671b1ca22b9aab317bc337c62929cfc2be7cb86e4d7a237cab0b75d806705753
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYoY:vHW138/iXWlK885rKlGSekcj66ciu

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	gaton.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	gaton.exe
2272	fusir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaton.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusir.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe
2272	fusir.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1712	4760	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	86
PID 4760 wrote to memory of 1712	4760	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	86
PID 4760 wrote to memory of 1712	4760	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	86
PID 4760 wrote to memory of 3520	4760	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	87
PID 4760 wrote to memory of 3520	4760	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	87
PID 4760 wrote to memory of 3520	4760	680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe	87
PID 1712 wrote to memory of 2272	1712	gaton.exe	92
PID 1712 wrote to memory of 2272	1712	gaton.exe	92
PID 1712 wrote to memory of 2272	1712	gaton.exe	92

C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe
"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\gaton.exe
  "C:\Users\Admin\AppData\Local\Temp\gaton.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\fusir.exe
    "C:\Users\Admin\AppData\Local\Temp\fusir.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
af5416b8428b7024077aca61c2fbc1e8

SHA1
6b1b9c4ff6c207c84eb39368680a8306bf800a3c

SHA256
31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3

SHA512
2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fusir.exe

Filesize
172KB

MD5
6a36b4af050b371fb980554e25b38d5b

SHA1
19a1796c3454658ab738e8b6d91619dc8d8521c3

SHA256
fd6dc67706a2c1e1f1f9271705f65a43d0ced4b237a9f73e8ae793575c7eae18

SHA512
95f1a80d3ae45d7ea0df812542ff57c804411ab0b96b2628ee2c8a60687b40b3159ac1ec2d529d03b37c162bd845030d3c9f22b49203015b4a25a230e5ad0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaton.exe

Filesize
329KB

MD5
a8e408f1ca88d1008e3690ea6395b1f8

SHA1
db51ac301ec87031abbb32b2098f6254950b6797

SHA256
adfa182be2c927f342d2d1e60cf891cb42f2d95a51d8d32b8967fc8c5735f129

SHA512
d9ea7106eac9c0524ab0ca1af1cba8d80bff45af398fc754e957f3b9bcbad9d16a6329ee2c91e85b9537c4fb309abba1f766261c7570c138395f7782aa054b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
63ef950c4f0331a74f8d485d8b69fa39

SHA1
da2b9978ab13a519f2b4e55714654103f8b6e224

SHA256
d8d7289faec99c182302a64a956959c6dc31ce5cb2898a7b05c010ec426b06c8

SHA512
980edeff71d1f564e29e04371182df5b41e16f1af60c41daaa93fdbdbca43222e1a86eeb438d2d55d7630eb1d40f8ac8ac462d243a4a6d4892a733e85d5482c5

Download Submit
memory/1712-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1712-41-0x0000000000AB0000-0x0000000000B31000-memory.dmp

Filesize
516KB

Download
memory/1712-14-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1712-11-0x0000000000AB0000-0x0000000000B31000-memory.dmp

Filesize
516KB

Download
memory/1712-20-0x0000000000AB0000-0x0000000000B31000-memory.dmp

Filesize
516KB

Download
memory/2272-47-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/2272-39-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/2272-38-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/2272-42-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/2272-46-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/2272-48-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/2272-49-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/2272-50-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/2272-51-0x0000000000500000-0x0000000000599000-memory.dmp

Filesize
612KB

Download
memory/4760-17-0x00000000005A0000-0x0000000000621000-memory.dmp

Filesize
516KB

Download
memory/4760-1-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4760-0-0x00000000005A0000-0x0000000000621000-memory.dmp

Filesize
516KB

Download