urelas | 57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Size

330KB
MD5

8ed8fe4236bd3275ca6fb53ea7adeef0
SHA1

af97463ad45ec8f778be83b82909e222c0076265
SHA256

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2
SHA512

9e0992b9ae3b18ce3e0daabf36b6e92dc56156ecc291a5c1eafa16b47e60fe99b4766829b45dfe99cfac2fb2fce35507ee8bcea5610db7220428c98328874a20
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exetozyj.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	tozyj.exe

Executes dropped EXE 2 IoCs

Processes:

tozyj.exepohef.exe

pid	Process
3016	tozyj.exe
4952	pohef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exepohef.exe57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exetozyj.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tozyj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pohef.exe

pid	Process
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe
4952	pohef.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exetozyj.exe

description	pid	Process	procid_target
PID 2064 wrote to memory of 3016	2064	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	86
PID 2064 wrote to memory of 3016	2064	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	86
PID 2064 wrote to memory of 3016	2064	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	86
PID 2064 wrote to memory of 3900	2064	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	87
PID 2064 wrote to memory of 3900	2064	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	87
PID 2064 wrote to memory of 3900	2064	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	87
PID 3016 wrote to memory of 4952	3016	tozyj.exe	100
PID 3016 wrote to memory of 4952	3016	tozyj.exe	100
PID 3016 wrote to memory of 4952	3016	tozyj.exe	100

C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
"C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\tozyj.exe
  "C:\Users\Admin\AppData\Local\Temp\tozyj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\pohef.exe
    "C:\Users\Admin\AppData\Local\Temp\pohef.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6e8d954fb1dddba6478e87ba0e58a3b0

SHA1
e7093781d87eca308159a1d1bbd32fe190fc967a

SHA256
4caa108699460495771fe7f2890e821a4fd25a7bd18072f13b57ee25fccf7a5e

SHA512
09ec249e5465ef9c9c89d9a67fbdaa1ed3aa96da2e947262f5ba95cbba7f9b70afec9bcea5a406727d3df6f9a489dcaf10cc89d6c2dc065a04dd59f645654cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8a077ece7d1200cc52c17c5fc60456c1

SHA1
105531886977345ea6493457e6fa2866068e298d

SHA256
a31bee0a79bc54cef666592bcd7236b66d112b401eed3dca699ea5aaab781f71

SHA512
f0c35ba4227ed1326d584c996a153f0b0da4b8854f27e49defd61401e2c4fe3d5a21219aef55231e9a03260efb1780168fc3c6569f7fe74fc7fb081377f80fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pohef.exe

Filesize
172KB

MD5
806caeb4ef2d668c48d0ab280c5efae2

SHA1
db70f00be043f02ad5a793700e2b916a0a633caa

SHA256
04484fdf26b16ca7e577bf9b61c01a825cc8dcd64db090583b4f4f682c8b9424

SHA512
30bd92e287630493a8f919ac8f4a3b87df2d673e9eafc7fef353340edba1323dfb9f07cea95ce8b6f11cd9012d8d8b20a4aefe0482f082660537c357baddbf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tozyj.exe

Filesize
330KB

MD5
46dc5c9b8fb8939b5de36ce72e98d240

SHA1
daa3c19ef2b5ee7bd0c17e166d3bfa5e7e29d03b

SHA256
47d897f8b2ad927ca1e72b3ebba02549c5fd13cf7e02d29a3cd3f60f665731cc

SHA512
0deafad14b9883f06450b6482281c63d42cacb7e180c90bafafba43a4d0ade201bfa9053dbe98da7d1e9e78bac4a099d87d75cd9da7d57f59511be1acb403b72

Download Submit
memory/2064-1-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2064-17-0x0000000000680000-0x0000000000701000-memory.dmp

Filesize
516KB

Download
memory/2064-0-0x0000000000680000-0x0000000000701000-memory.dmp

Filesize
516KB

Download
memory/3016-39-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/3016-14-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3016-13-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/3016-20-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/4952-36-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/4952-40-0x0000000000830000-0x0000000000832000-memory.dmp

Filesize
8KB

Download
memory/4952-41-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/4952-45-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/4952-46-0x0000000000830000-0x0000000000832000-memory.dmp

Filesize
8KB

Download
memory/4952-47-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/4952-48-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/4952-49-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/4952-50-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download