urelas | 62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Size

333KB
MD5

a08624aa8369a8873d683590fb3f0fed
SHA1

75cb37084b41f2cfc3d9e4ec990a19631375e2b4
SHA256

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778
SHA512

7431757670d2359ff3fe8a4ca2319ca09e1f3fafb769e3e6c91fdd47d69e978362fcea45995723435fd13bcc3b133a6300cba392659d6a068487d66023639088
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9P:vHW138/iXWlK885rKlGSekcj66ciWP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exeqoraq.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	qoraq.exe

Executes dropped EXE 2 IoCs

Processes:

qoraq.exebatif.exe

pid	Process
3968	qoraq.exe
3504	batif.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

batif.exe62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exeqoraq.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoraq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

batif.exe

pid	Process
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe
3504	batif.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exeqoraq.exe

description	pid	Process	procid_target
PID 4036 wrote to memory of 3968	4036	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	89
PID 4036 wrote to memory of 3968	4036	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	89
PID 4036 wrote to memory of 3968	4036	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	89
PID 4036 wrote to memory of 4372	4036	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	90
PID 4036 wrote to memory of 4372	4036	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	90
PID 4036 wrote to memory of 4372	4036	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	90
PID 3968 wrote to memory of 3504	3968	qoraq.exe	107
PID 3968 wrote to memory of 3504	3968	qoraq.exe	107
PID 3968 wrote to memory of 3504	3968	qoraq.exe	107

C:\Users\Admin\AppData\Local\Temp\62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
"C:\Users\Admin\AppData\Local\Temp\62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\qoraq.exe
  "C:\Users\Admin\AppData\Local\Temp\qoraq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\batif.exe
    "C:\Users\Admin\AppData\Local\Temp\batif.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
ea2c3ad2177becefa293d8bff004fd8d

SHA1
84685598abf20b1813b4c475d5053b1969980504

SHA256
d8a231e7959ce5232dfbb8c2501c5fbdfbf669a2226e9a3a8eec2ee7cf6d0dd7

SHA512
5b27e8434474413af8ec35ee473cde03c9084420956861f22c81350ec572f70b6809ebbae2e7ccfdf2431149df730e9564f8e2456d72665fb364b86859c04ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\batif.exe

Filesize
172KB

MD5
6f919aebeae544c9006a44ca8aac72b7

SHA1
090685521400b39ab7a9c6c4f3b5cf5b22570cdc

SHA256
5dc86fce717ecd932b9262888743b4ef747779ae36776496a344fc6e2c11abd1

SHA512
de46a83790e2cb11b1e536c3ffe4ce8a0b06eb85b83299373628bed546ef40f83f6eb2a9460b01f83fec50481e67d3a59a56ff8cd4101a6f74ac9e50866fe18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c7c1a63f66a92079f753fcb8d564c56c

SHA1
33c4b104764762b6b0805255318334acf00a2c33

SHA256
683e4e6fe7b4417ecd491e3add8cee15e1fa6e74b126e681277d125117fe2c69

SHA512
71a6b235fb871555695988ddfb33a0683bb9ad93f7619d91bdc66de8626e7610faf589d03f26ddf1ed20eda7aa484b99c820e05ac45a6388e3c85364c0fe67c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoraq.exe

Filesize
333KB

MD5
6db4b33a355cf3a75f5915809f51f83d

SHA1
7cfa6e011237587b535c76f4a373dc1859cf24e4

SHA256
0af8b6b21af20af2621a9932feb695fa9fbc6644dbe8dfc07f847478e78fb809

SHA512
84370e2c712e0c89d1920ed506a7a1dc555a18a3b1629d2ff5ef3a8038eb463c4c0139c639ccb05c04b8373cc2ee00637d8c23f376ad7ab37230f5de054f1c2f

Download Submit
memory/3504-47-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/3504-48-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/3504-51-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/3504-50-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/3504-49-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/3504-46-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/3504-38-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/3504-42-0x0000000000FF0000-0x0000000001089000-memory.dmp

Filesize
612KB

Download
memory/3504-39-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/3968-41-0x0000000000430000-0x00000000004B1000-memory.dmp

Filesize
516KB

Download
memory/3968-20-0x0000000000430000-0x00000000004B1000-memory.dmp

Filesize
516KB

Download
memory/3968-14-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3968-21-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3968-11-0x0000000000430000-0x00000000004B1000-memory.dmp

Filesize
516KB

Download
memory/4036-1-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4036-0-0x00000000004B0000-0x0000000000531000-memory.dmp

Filesize
516KB

Download
memory/4036-17-0x00000000004B0000-0x0000000000531000-memory.dmp

Filesize
516KB

Download