urelas | 6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
Size

330KB
MD5

a7fca01381772be5f88e3f4c59bb488a
SHA1

934e2a8dd0bf5fa61aa8809d73d7b46628812eea
SHA256

6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1
SHA512

d8def90bc95351068860d6cff6f0ce7a2857be86202980f0714d46d4cdf15901828ce49ea365e9990a609e12a82d5afa7ae2fd4cec7f74b39c51e384661dc282
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVq:vHW138/iXWlK885rKlGSekcj66ciEq

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	xuloa.exe

Executes dropped EXE 2 IoCs

pid	Process
4012	xuloa.exe
1884	puxeh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuloa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puxeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe
1884	puxeh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4012	4464	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	87
PID 4464 wrote to memory of 4012	4464	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	87
PID 4464 wrote to memory of 4012	4464	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	87
PID 4464 wrote to memory of 1744	4464	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	88
PID 4464 wrote to memory of 1744	4464	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	88
PID 4464 wrote to memory of 1744	4464	6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe	88
PID 4012 wrote to memory of 1884	4012	xuloa.exe	101
PID 4012 wrote to memory of 1884	4012	xuloa.exe	101
PID 4012 wrote to memory of 1884	4012	xuloa.exe	101

C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe
"C:\Users\Admin\AppData\Local\Temp\6fc2303657714dae829a2e02624d113af7e284e942387156185a1a6f55b6d9d1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\xuloa.exe
  "C:\Users\Admin\AppData\Local\Temp\xuloa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\puxeh.exe
    "C:\Users\Admin\AppData\Local\Temp\puxeh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
163be0232365d7ce68accdc4efeda98e

SHA1
065d2753d718c85c30f13d29311e5f9f7d469e08

SHA256
5a99ed92dbb374a881252e400b55fc2e24a911772061d55953b45e07ce77e26b

SHA512
3f2d8da1b5c58a7e5832d1c1f2a25886365f83966aeb3e6230cabf42032e9067df5f6f4c08c4b7dd44406fc147cc5e9cd40906b546220568b579d1ef4d16ca18

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c770108b028f35806a4c76451ae6c4ea

SHA1
df2f328f9c980170ec7ded55a94a78e7837328b9

SHA256
5ffb6e6a56478418156fbeb40d003baf80ced0704462b7fc927da08a95006bd3

SHA512
c1c2de37b1baf08db502a92a9394dd7c20d6b5145a835c5fe0b7dd2ad182fa48f82af979f97026d85d30b88bca6719e41d9497ace99aaf6608f1a6ad3e130c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\puxeh.exe

Filesize
172KB

MD5
9c4dde3e0572ceada02fa9982c0b32a5

SHA1
3d055892968b201294bb1895d1d0b87cf92da007

SHA256
e13d5c74191cae85de35cb63e1740f4715fe1351179f64663140e49d7f9ddc0a

SHA512
016239ffd1e084f53b82a393add4dc5f8514a38559b8cf6c6f99577455d04372ade4773168e0ad952435118609ac2d04653cbe064b8a51689101055f613016d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuloa.exe

Filesize
330KB

MD5
9bb7aa2ee0cfdb044dee44940002e55a

SHA1
d6f2451513b86009243bf592c280a42b75b8497e

SHA256
2da1a1e1def654a61146f5fdf1eaabe59096a931877db3dcbdcc3d0208c52831

SHA512
14094cfef162ef884665c46e5f0565ac231e168888cdde0d65a4896a65501d8ace1c37eba5e1bfb332ce35fc16fadfd36e3b196e5a5f7844ae3efb63d1818830

Download Submit
memory/1884-45-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1884-46-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/1884-50-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1884-49-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1884-48-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1884-47-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1884-41-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1884-40-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/1884-37-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/4012-39-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/4012-20-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/4012-15-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/4012-14-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/4464-17-0x0000000000DA0000-0x0000000000E21000-memory.dmp

Filesize
516KB

Download
memory/4464-0-0x0000000000DA0000-0x0000000000E21000-memory.dmp

Filesize
516KB

Download
memory/4464-1-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download