urelas | ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe
Size

330KB
MD5

2dd959c6e1effb6abe46f94d0702b2f5
SHA1

77b2edad9d60e05a74840a598a7797e47c42a885
SHA256

ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43
SHA512

ac666070e68302e8092b1a180f69ae71c808a75b99813e7c2c55d26bc7fc007ef7724ce616a8652565bf78c71011bac6f04b2b628a1f7a6d559ff5b9314ae1a7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVN:vHW138/iXWlK885rKlGSekcj66ciEN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	uhtoy.exe

Executes dropped EXE 2 IoCs

pid	Process
1388	uhtoy.exe
2912	lynud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhtoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lynud.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe
2912	lynud.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1388	1168	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe	87
PID 1168 wrote to memory of 1388	1168	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe	87
PID 1168 wrote to memory of 1388	1168	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe	87
PID 1168 wrote to memory of 4076	1168	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe	88
PID 1168 wrote to memory of 4076	1168	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe	88
PID 1168 wrote to memory of 4076	1168	ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe	88
PID 1388 wrote to memory of 2912	1388	uhtoy.exe	110
PID 1388 wrote to memory of 2912	1388	uhtoy.exe	110
PID 1388 wrote to memory of 2912	1388	uhtoy.exe	110

C:\Users\Admin\AppData\Local\Temp\ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe
"C:\Users\Admin\AppData\Local\Temp\ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\uhtoy.exe
  "C:\Users\Admin\AppData\Local\Temp\uhtoy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\lynud.exe
    "C:\Users\Admin\AppData\Local\Temp\lynud.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
23711745137f60f536ecd30106ce5d6f

SHA1
bedbfff2c9fbc138a78a3d1c0bde391a363d6c97

SHA256
f9416d13ebeddc0f2f679e8cfe904d11dc2b36f18caed57b4bb8aaca87af34ac

SHA512
97777e6997e64424650f83ad22a7c2bd553e9f6d021602853c182c81646d956c87c65fc20ec05e28669a55acce5a4736e523dbbc2c74852ad9d3c5b4494d6482

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9e922a97590c667ace3f5b0e023d8221

SHA1
f52c1e81d6c7b2b64e3b02d3c0dfff2cb3caefb8

SHA256
055b90fa4ed66226af3a2d6813135ee1dfb47db31f6dce34696f3db4fb291a2a

SHA512
b8d2574a06929a0a21d9d0807ae1635047dfab59be4dc86bf0f83320ed17fef66587c622a948bdae4a709cc7fd253ed6818a13191d1c06c9f1f3c0de1aff44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lynud.exe

Filesize
172KB

MD5
46d6966136775965eb30f4c144c2885f

SHA1
8ac28e5c6c1b089af681e28c881f1ad69e779417

SHA256
7ef63c5946354331b39cc7cb191024396cff12f44dafb5a7c48aafc655a01dc9

SHA512
d8cec70c770abd9e328cb7bb9a723eb1bab72aee7788d1e8ad71350ada195338c037d8f21f7ceb2b7f66584cbb8c7b4e49401f03501c97bf8458a8cdb17b0f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhtoy.exe

Filesize
330KB

MD5
7a3f11834f77bd1b6b1ddd1521a72c01

SHA1
61d4a7cf0d5ff9e8de4750eed4377fe3c4daa55b

SHA256
5d3bf68b83c1713a8bee18b1f555ad951ac90af4c746e22b07a71950429ccd3a

SHA512
dcf9d089696dbcc7f1da9c136e73019ad7d1f2542dd191a9c7e2809092cfcf6fd332f378d1544f9252a354059017bbd5374306b4d61b495a222cd600b770564b

Download Submit
memory/1168-17-0x00000000005B0000-0x0000000000631000-memory.dmp

Filesize
516KB

Download
memory/1168-0-0x00000000005B0000-0x0000000000631000-memory.dmp

Filesize
516KB

Download
memory/1168-1-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1388-11-0x0000000000610000-0x0000000000691000-memory.dmp

Filesize
516KB

Download
memory/1388-14-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1388-20-0x0000000000610000-0x0000000000691000-memory.dmp

Filesize
516KB

Download
memory/1388-21-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1388-39-0x0000000000610000-0x0000000000691000-memory.dmp

Filesize
516KB

Download
memory/2912-41-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/2912-38-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/2912-42-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/2912-47-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/2912-46-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/2912-48-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/2912-49-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/2912-50-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/2912-51-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download