urelas | 31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
Size

332KB
MD5

76f5fdf8b29d6d325a2954eb9affd758
SHA1

738271ce6399a06456279ae22117905ab63fe4dc
SHA256

31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4
SHA512

5a3ff505f249bf294e540d1d336a0543f8057bc3b6fa5e7b346f05bf7e88894ef599f11b1ce03e0b81fe66c10ec7ee94bf6c95f7983af5f1ca27b69ac498a090
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr5:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	peboo.exe

Executes dropped EXE 2 IoCs

pid	Process
712	peboo.exe
3656	xohos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peboo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe
3656	xohos.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 712	2424	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	88
PID 2424 wrote to memory of 712	2424	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	88
PID 2424 wrote to memory of 712	2424	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	88
PID 2424 wrote to memory of 4648	2424	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	89
PID 2424 wrote to memory of 4648	2424	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	89
PID 2424 wrote to memory of 4648	2424	31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe	89
PID 712 wrote to memory of 3656	712	peboo.exe	102
PID 712 wrote to memory of 3656	712	peboo.exe	102
PID 712 wrote to memory of 3656	712	peboo.exe	102

C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe
"C:\Users\Admin\AppData\Local\Temp\31d4154d1b40a3f60a49701535d857bde631e61f79e5f52aadf7e0789c29b0b4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\peboo.exe
  "C:\Users\Admin\AppData\Local\Temp\peboo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Users\Admin\AppData\Local\Temp\xohos.exe
    "C:\Users\Admin\AppData\Local\Temp\xohos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3889d8e2dec2cdfaf98392329730f1b1

SHA1
b95f3baf21f177f97d91a800d2b9f0aef64da9f0

SHA256
353d3edb8e6d4032a387f3a2350280e78859312fa5244af78221c4360ed481ef

SHA512
f748ff35ebd437ef0a6fa93a1929087b9966c68b7f338c5d84c5f5a0f857dd069c75e4ce269e00c51ab19f4feff4c061ab22c1e5dedcf942f259c07e46fddd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fb78e4bcb0881f68d5a43a1b6f84f7c8

SHA1
7c5a03c2ead31827493b598889cf092c02002b35

SHA256
a0b648d31ae3d34a53e23eac1a049b297ffc01ad9cbc96a707e34cb7a2a2ba0b

SHA512
81fa20344d79c384465bc8fc60b3debcc3031f41862c8eceb3c15e47bbd008fc21e5d7402fef6c41a3d1879699ec40e1d7a5e99c639ea5e9d1afabd32c1ecb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\peboo.exe

Filesize
332KB

MD5
e012c5ffe8a698cf11602f67e739c340

SHA1
df6f98b6a4582b9bdfebdfeaeb2074cc59b9bc6b

SHA256
94d47569580c5518f42cbf4cb48af6aa2e077471316a9d200a14b179b96b75d5

SHA512
ca8a32c7a7bbad8c3566df022283614b54d663e850761bf5a82a504e638e0e3443ae7bf52792df85ef32485d3e62e2ca3b48da171d4303c70d027bad4902780d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xohos.exe

Filesize
172KB

MD5
03bc0a0361456ec737eedb14619e7edb

SHA1
5c64f637a77de364f6098c5f56bd3f5d1818e9e6

SHA256
6187e2d852536e2b88fed02cf798659a4c44d3cf37a515d79359c702a13ffaf8

SHA512
6dd95dd0676490283b2cdb6244f96e6625131f36de8e01c4f3c574f395290767b23c0170c20d92fa80463d1538baac6d6da0b355de89990e18c307fcd7f74668

Download Submit
memory/712-20-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/712-39-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/712-11-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/712-14-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2424-0-0x0000000000720000-0x00000000007A1000-memory.dmp

Filesize
516KB

Download
memory/2424-1-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2424-17-0x0000000000720000-0x00000000007A1000-memory.dmp

Filesize
516KB

Download
memory/3656-36-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/3656-43-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/3656-40-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/3656-45-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/3656-46-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/3656-47-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/3656-48-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/3656-49-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download