urelas | e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
Size

331KB
MD5

43ccc6958f91e07a407881b33286ef05
SHA1

7b2ce6400110ceb59534d4b181743db40817293d
SHA256

e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3
SHA512

42eff49833ea7f7af48eae35844ccc5c1b78eeda22362e38f37faff61540eb84de4ad32b7f7ee1f185ece81c157dbf883fa293678848dac0cf3c86811160fdfa
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ci9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wuofc.exe

Executes dropped EXE 2 IoCs

pid	Process
4424	wuofc.exe
1632	zyten.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuofc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyten.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe
1632	zyten.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4424	3092	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	90
PID 3092 wrote to memory of 4424	3092	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	90
PID 3092 wrote to memory of 4424	3092	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	90
PID 3092 wrote to memory of 4736	3092	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	91
PID 3092 wrote to memory of 4736	3092	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	91
PID 3092 wrote to memory of 4736	3092	e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe	91
PID 4424 wrote to memory of 1632	4424	wuofc.exe	104
PID 4424 wrote to memory of 1632	4424	wuofc.exe	104
PID 4424 wrote to memory of 1632	4424	wuofc.exe	104

C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
"C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\wuofc.exe
  "C:\Users\Admin\AppData\Local\Temp\wuofc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\zyten.exe
    "C:\Users\Admin\AppData\Local\Temp\zyten.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c3482ced7f644d94381c9b12ae15ecc2

SHA1
aee03a143b0d88848e660c6a06347c4d327b1a09

SHA256
ce3b22efc8692e1f90e4de419cc21f6b3306935da4224298008f4ab995b810fd

SHA512
560d86a27e2a4c897fc432f85e8f418d7002372d202bfd76e1ad16e6c671bbec0f66a60059dc1f5d518a183b77cca1f293ce0d735200c77f8d9a02f941cc1041

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
daff6e80df7dd04ab02d62256b91e956

SHA1
76e80153e92dcf8acdea918bc225baec4d55a16f

SHA256
104d75d278cd0495e37a47447a082d7d138c6fe57014d17fd0b97896d3920976

SHA512
52c889934edaab82b3fceaa24c4c20ac75d305b09eee34e1420d70a3601fa5e31a7b58d6d11c107e13455538a50f42cbf87a3804a6822235d9b3848522c24b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuofc.exe

Filesize
331KB

MD5
3c0cb484d9055d6c594af2d779f225b6

SHA1
5a59400eb4beeb225b359e1e4f37d863250484dc

SHA256
ccd66b9c21acaff5723f8bc7878b1a4fb929d76ba38a1734bcad6215a79b535f

SHA512
11534d9bd032aa08dfdc4bb87fa84bd25d83b33df08591e5f17d9c0dbcfe591f229a47b6d47fba320a31ff249e5f4aa1f45206f1e3c78d2d1aece3ef793428a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyten.exe

Filesize
172KB

MD5
e9c38eaef57b60ce3308085ed428fd7d

SHA1
c55985dfc9079751311d70083921e65af172543f

SHA256
86c5dca0991a5fc20d3e912833c3a3ea937938022d56e12f3777c3be049330ee

SHA512
0f5c3521e1eefbe07b7aeacf4d49b537959c77539ae3a22cbf97333bea6518be4e88cc9a69b70a80bee8b4c1914d92cdad7883fda77cb707e0979a7f4c8c73f0

Download Submit
memory/1632-46-0x0000000000760000-0x00000000007F9000-memory.dmp

Filesize
612KB

Download
memory/1632-42-0x0000000000760000-0x00000000007F9000-memory.dmp

Filesize
612KB

Download
memory/1632-50-0x0000000000760000-0x00000000007F9000-memory.dmp

Filesize
612KB

Download
memory/1632-49-0x0000000000760000-0x00000000007F9000-memory.dmp

Filesize
612KB

Download
memory/1632-48-0x0000000000760000-0x00000000007F9000-memory.dmp

Filesize
612KB

Download
memory/1632-47-0x0000000000760000-0x00000000007F9000-memory.dmp

Filesize
612KB

Download
memory/1632-44-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/1632-37-0x0000000000760000-0x00000000007F9000-memory.dmp

Filesize
612KB

Download
memory/3092-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3092-17-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/3092-0-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/4424-40-0x00000000001E0000-0x0000000000261000-memory.dmp

Filesize
516KB

Download
memory/4424-21-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4424-20-0x00000000001E0000-0x0000000000261000-memory.dmp

Filesize
516KB

Download
memory/4424-11-0x00000000001E0000-0x0000000000261000-memory.dmp

Filesize
516KB

Download
memory/4424-14-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download