urelas | 6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
Size

331KB
MD5

58ce05c8d85a601405b81ccda398ccd7
SHA1

d62b4c797bc633d1f5a2c4972fb854bef98ed31b
SHA256

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842
SHA512

a4da37e691149968aa0917d153967c465cf87993baa6cceb6c9486d62bc0b82969cafb30e93518990ef471dcc88d94c6329fc80a3a58be67e2bdb95050354c0c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYd:vHW138/iXWlK885rKlGSekcj66ciQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exesuviz.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	suviz.exe

Executes dropped EXE 2 IoCs

Processes:

suviz.exeguybw.exe

pid	Process
5088	suviz.exe
3276	guybw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exesuviz.execmd.exeguybw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suviz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guybw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

guybw.exe

pid	Process
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe
3276	guybw.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exesuviz.exe

description	pid	Process	procid_target
PID 2980 wrote to memory of 5088	2980	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	90
PID 2980 wrote to memory of 5088	2980	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	90
PID 2980 wrote to memory of 5088	2980	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	90
PID 2980 wrote to memory of 816	2980	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	91
PID 2980 wrote to memory of 816	2980	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	91
PID 2980 wrote to memory of 816	2980	6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe	91
PID 5088 wrote to memory of 3276	5088	suviz.exe	112
PID 5088 wrote to memory of 3276	5088	suviz.exe	112
PID 5088 wrote to memory of 3276	5088	suviz.exe	112

C:\Users\Admin\AppData\Local\Temp\6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe
"C:\Users\Admin\AppData\Local\Temp\6f260c0a9c755cd77f1c9624f72beec9fff49b56233b3f91cbac405e17e36842.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\suviz.exe
  "C:\Users\Admin\AppData\Local\Temp\suviz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\guybw.exe
    "C:\Users\Admin\AppData\Local\Temp\guybw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a5b1795728b662942114fb3bc208d709

SHA1
06544a3822b6bf1cd7bbcb730865a8908d2ef784

SHA256
274009e193b1af404eaad6e63515a1bff124295973cfb179ce7bfe06ee04fec6

SHA512
fff863ea7228c3316d7437fa04c9d53e6d959ba9272db85feffb3becea34b642b21f37225559169acac5b0e1ca6facd03615d9755c804fdcf473557a344c142b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5898478d1007bd22e0104ddc2d0f2979

SHA1
7bdbb812d436328538b1c2ac0d2fc95f11483e2d

SHA256
9b2f7f9e7f25ed4adb155192b6bf1332f57ec5faf229da99044462741f09126e

SHA512
5bad815c2a91eb810216ea190451eeaf609dbe485bb305d2bcc7a53a0975f76ecd832923caa5a9311b21d2cba52f8a995918cd0aaa2713e8bc9919bb217b73a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\guybw.exe

Filesize
172KB

MD5
943d0bf4d080115227e2ee0513f9250a

SHA1
753f2eedaf319e74d9f82e676939b80381e07d46

SHA256
3ea2f8fb4af7fa1941ca2c29eea4088056ebe0117078ab3c8f2a5cc43892d87c

SHA512
cf7455e47266a95535696ed053558fa10c8219e233f60e993cc39a6e70aa25c46506c74820ebc6d7f48061cf9165607a4db59c876befbc6b874eaface414426d

Download Submit
C:\Users\Admin\AppData\Local\Temp\suviz.exe

Filesize
331KB

MD5
6409fbdfbb8974b1d1096a38dd4a1aab

SHA1
f1e7b011442041dae59f0fd1cb2f555ced70d114

SHA256
6f4a1dabecf384c1405b8a3a38606ae967118c673b6ac7280f150167830a5090

SHA512
0d2c6dcce41524aa089c01fbb2177cd9dafa14ecd23a843e5f4399ba8474613fb2db017c7236995c2b0bcb31e7fe89325d57e2a0879502f8915cae8fd1cfca51

Download Submit
memory/2980-17-0x0000000000420000-0x00000000004A1000-memory.dmp

Filesize
516KB

Download
memory/2980-0-0x0000000000420000-0x00000000004A1000-memory.dmp

Filesize
516KB

Download
memory/2980-1-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/3276-47-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/3276-51-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/3276-50-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/3276-49-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/3276-41-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/3276-40-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/3276-48-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/3276-42-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/3276-46-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/5088-21-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/5088-39-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/5088-20-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/5088-11-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/5088-14-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download