urelas | 7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe
Size

324KB
MD5

ab6d9878df743508071fd9e3955838ab
SHA1

96c1199c5fd42a27bb48670747a2b5e11c93236b
SHA256

7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd
SHA512

580119508f096725ea7916d7d7b3560ae69e18cbb3f9ac4ae1db17151f03d8fc5ce5414664b321af2456b350d9186eba0a15d273da9c4d35b7090e0a81b5e2b1
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYO:vHW138/iXWlK885rKlGSekcj66ciH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	bowom.exe

Executes dropped EXE 2 IoCs

pid	Process
3092	bowom.exe
3652	xocua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bowom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xocua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe
3652	xocua.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3092	3968	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe	89
PID 3968 wrote to memory of 3092	3968	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe	89
PID 3968 wrote to memory of 3092	3968	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe	89
PID 3968 wrote to memory of 532	3968	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe	90
PID 3968 wrote to memory of 532	3968	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe	90
PID 3968 wrote to memory of 532	3968	7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe	90
PID 3092 wrote to memory of 3652	3092	bowom.exe	101
PID 3092 wrote to memory of 3652	3092	bowom.exe	101
PID 3092 wrote to memory of 3652	3092	bowom.exe	101

C:\Users\Admin\AppData\Local\Temp\7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe
"C:\Users\Admin\AppData\Local\Temp\7dc65d9c94107d44f11243b4ab87a10a4240197f3e43290df5ee3eee17c67bbd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\bowom.exe
  "C:\Users\Admin\AppData\Local\Temp\bowom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\xocua.exe
    "C:\Users\Admin\AppData\Local\Temp\xocua.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3c666561db804f5b6c8e0a560b9750ba

SHA1
22232b8ee40738e5510b1cb1217c2ad0f7d6a8a2

SHA256
8a488223d6a14e23f2c4c73fc7c43f8ac241158d40f94e897a07a50cf51bf8c6

SHA512
cda99544a87fb512570f4b60af52c786ede6c9b608b9f926c1333cd4f0822c4989dc6078f373976b156b6aa10063b4e2457a4fe6b8e239b5ae253528fa114c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bowom.exe

Filesize
324KB

MD5
01a3acc4d083b657e0d95c58a41a1d81

SHA1
9f2710e44a29ad3d8b7655125c700cb68feaa8f3

SHA256
e7e4ef6dfa97b04afa9a1996582c480cef89f89e3fb898d1700b7109c557bdc2

SHA512
f986060123cf292aca64c10146e9ba1e7058f0a63bbefa6c33df38172f795afa1f7ae1cdd6ea466924895a66891b1b586b93083e6f7303113f3e8052c8ccf4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0d881bcd2bfe285c50218661c9410840

SHA1
771e86da9b24be87b6d97b501aa43ed14ca22edd

SHA256
ab519500a555cb4ff79c79db80ceb3ac39f62ad4d97827c13dbbb2b1e3eba576

SHA512
6b1954a7ac5c70229435dd7abf03e900210e71a77a845cb45e05681963391399512ab9d80aecff51c3699c6bfd4ab4f44a2778e64366f3c31bd6c98b8faccb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocua.exe

Filesize
172KB

MD5
b318ed182749ccaf5984b92d9ca49bef

SHA1
e6e2a073d4cdb2f2d672a4a0806cde9fda39c5a3

SHA256
7a55176b9119107a22cc777aba6d8334b227d27cb58ed2031162e1e43dba2a59

SHA512
1acf1131e5e79e9fa4e2a0c714c3b858f9036cbe6689072e41abae53e18e09de9c6650dc44d2dcdcd546ca43c1a8fc797f7e7976bc0bbfb0fd343b41ad420274

Download Submit
memory/3092-20-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/3092-36-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/3092-14-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3092-13-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download
memory/3652-44-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/3652-37-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/3652-39-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/3652-40-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/3652-45-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/3652-46-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/3652-47-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/3652-48-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/3652-49-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/3968-17-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/3968-1-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3968-0-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download