urelas | b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
Size

325KB
MD5

1ac972ef0744dbef4ae6ab6458c7db27
SHA1

5052cb948e325d158802300ca0121659383d525f
SHA256

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217
SHA512

90c009bdb0a1d6efdef9df59b7610657f5861ea34022dfd3600352e223fca846c3f7afeb174a63b305bb8d8de51bf6d2746dde4f22a0211024fb2bf07be035f0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYs:vHW138/iXWlK885rKlGSekcj66ciF

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exeefvoz.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	efvoz.exe

Executes dropped EXE 2 IoCs

Processes:

efvoz.exeqiovb.exe

pid	Process
2108	efvoz.exe
2928	qiovb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exeefvoz.execmd.exeqiovb.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efvoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiovb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qiovb.exe

pid	Process
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe
2928	qiovb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exeefvoz.exe

description	pid	Process	procid_target
PID 4792 wrote to memory of 2108	4792	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	88
PID 4792 wrote to memory of 2108	4792	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	88
PID 4792 wrote to memory of 2108	4792	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	88
PID 4792 wrote to memory of 4644	4792	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	89
PID 4792 wrote to memory of 4644	4792	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	89
PID 4792 wrote to memory of 4644	4792	b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe	89
PID 2108 wrote to memory of 2928	2108	efvoz.exe	110
PID 2108 wrote to memory of 2928	2108	efvoz.exe	110
PID 2108 wrote to memory of 2928	2108	efvoz.exe	110

C:\Users\Admin\AppData\Local\Temp\b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe
"C:\Users\Admin\AppData\Local\Temp\b47487a890b3ca66c95b7602105c230d0b78f4b2ea88f651de136e5869299217.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\efvoz.exe
  "C:\Users\Admin\AppData\Local\Temp\efvoz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\qiovb.exe
    "C:\Users\Admin\AppData\Local\Temp\qiovb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1f38f267500bf1302dd62c8a89ebde92

SHA1
19f0298a9c2d4fa83e95a7e23229d220690e4cef

SHA256
017e6d14717a8ac8bfda1f0fea67192702d2180890d963c10d8dfebd214aac8d

SHA512
521e5c531bdcf352617d5f497a39ac3b5f332fb3f831b6eb20bf7273e044ebd8b360832f12185952758884053383d85358fe52d1941329e24f2f9c9786bfbd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\efvoz.exe

Filesize
325KB

MD5
105d513344d9bf7f850c1a6a0c1e1185

SHA1
0cca72d1765d96bdf1b05a5fcc41fff1d5ca32fb

SHA256
1119c93acb5d83dcddac29fde8b2c4bd09497bb16dcc661f7c4d9c54f8d681fd

SHA512
1d9e30ffd43c16d9b23be2e27bedcbfdad106074951a7c70ae9ea34e1fec7c2957d8d0e9626601ad20c6aa2896e2ee2f4c563b2b9c96bcd641bd7022910ade2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fe6e949f5c455750a5eaa4df1d04ebfe

SHA1
5d8d92cf947f25ff3517846721b89f8c7422a6ce

SHA256
277e54d6cde39e7a98645251c0606ec5f79e98904fb71e18b90ee18ac9a0d88c

SHA512
2d3354c4735732058e845afd0655e59b238c33500abce9c8067ec20f52421a606c873fa89109d99b9cae8a1d8888738544f0a35e876e67d221d8ffedfde0334e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiovb.exe

Filesize
172KB

MD5
1b9c00a123869582d7600283c6faa3c3

SHA1
16f3c729e44552566e7e0dba096776a3d7209cdd

SHA256
0f737e35d24ab5b961fda12e6348ddf206bf38399c737dab3b7df9ccac4bec66

SHA512
18d81530742a4075ce46c11ad3a7a77c741c41193d8c6959c8b8a2b414ad0aa5d986c6a3e69f564a4c6289b8c24998c7586a621513e385548bfa255f50df2788

Download Submit
memory/2108-11-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2108-44-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2108-21-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2108-14-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2108-20-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2928-40-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2928-39-0x0000000001040000-0x0000000001042000-memory.dmp

Filesize
8KB

Download
memory/2928-38-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2928-46-0x0000000001040000-0x0000000001042000-memory.dmp

Filesize
8KB

Download
memory/2928-47-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2928-48-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2928-49-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2928-50-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2928-51-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/4792-17-0x0000000000E40000-0x0000000000EC1000-memory.dmp

Filesize
516KB

Download
memory/4792-1-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/4792-0-0x0000000000E40000-0x0000000000EC1000-memory.dmp

Filesize
516KB

Download