urelas | b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Size

332KB
MD5

64ac1bc4ca221ef927c0f5b570dd2b80
SHA1

157f3607b64b7a69cc3b85ae3e6fb0855dfb9185
SHA256

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12
SHA512

9a329ce8c12e83cf96aa821bc0d68ee107e388d99e8dc9eaca8d55bf9f62e54d48fbcba4619999925917a62372d3d931fb1a4dc4872c7e94ac516b88830f023b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ciN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exezumif.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	zumif.exe

Executes dropped EXE 2 IoCs

Processes:

zumif.exefydij.exe

pid	Process
2536	zumif.exe
952	fydij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exezumif.execmd.exefydij.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zumif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fydij.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fydij.exe

pid	Process
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe
952	fydij.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exezumif.exe

description	pid	Process	procid_target
PID 1744 wrote to memory of 2536	1744	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	88
PID 1744 wrote to memory of 2536	1744	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	88
PID 1744 wrote to memory of 2536	1744	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	88
PID 1744 wrote to memory of 2188	1744	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	89
PID 1744 wrote to memory of 2188	1744	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	89
PID 1744 wrote to memory of 2188	1744	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	89
PID 2536 wrote to memory of 952	2536	zumif.exe	109
PID 2536 wrote to memory of 952	2536	zumif.exe	109
PID 2536 wrote to memory of 952	2536	zumif.exe	109

C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
"C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\zumif.exe
  "C:\Users\Admin\AppData\Local\Temp\zumif.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\fydij.exe
    "C:\Users\Admin\AppData\Local\Temp\fydij.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8a72da537d856fe39cf196e33d506de4

SHA1
b3fe8a6999f910b62a54af43f93dd9387b3fdc03

SHA256
91eb2480d34d1e3f221e5a8f319619ce6d11b48561cc12a3a543ea352d5885b3

SHA512
f0324a89c320b64025d33d904bd7de35e04ea761360d5fd79d3319d3872c001c4c743ee621b2aca5494a1f4f1428de026029d046fdcba395dc5fc724b06a3cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fydij.exe

Filesize
172KB

MD5
806caeb4ef2d668c48d0ab280c5efae2

SHA1
db70f00be043f02ad5a793700e2b916a0a633caa

SHA256
04484fdf26b16ca7e577bf9b61c01a825cc8dcd64db090583b4f4f682c8b9424

SHA512
30bd92e287630493a8f919ac8f4a3b87df2d673e9eafc7fef353340edba1323dfb9f07cea95ce8b6f11cd9012d8d8b20a4aefe0482f082660537c357baddbf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
29d5d502efaf4b7d1e5e8b879112d1b1

SHA1
6099057ddf7016baa8e4993ed32d1163eee1f9ea

SHA256
a3a9e4a700158772774fb3cf64cbe97a142f857dc24cffb2c3907e33828f96d7

SHA512
f41e38c9b16b7154b5d6b071ceede7e6cba7dface40bc29f4dade021b4b90f1a2db2fa85cfa37908a7c44de02b9a2c7b87e51047b6c94495becc1177d1ce8564

Download Submit
C:\Users\Admin\AppData\Local\Temp\zumif.exe

Filesize
332KB

MD5
7d4457b72f28c31697fffedcafe078d8

SHA1
00f20b1900d925a0f3bd44b558543d1336158072

SHA256
0b7aa1bd2dce920f0cdf426f2d4c0b9a1fc9b0db579af84f73b71352727aa5af

SHA512
48f3a951a3312179f884801dda4904b810b9f69c1cbe1105632164cb645cd9b3caae67cdc01a063190e0ee6bb976013b675f22f67feaf2d6ab84843a9d25760d

Download Submit
memory/952-44-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/952-45-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/952-49-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/952-48-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/952-47-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/952-46-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/952-37-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/952-36-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/952-40-0x0000000000D70000-0x0000000000E09000-memory.dmp

Filesize
612KB

Download
memory/1744-16-0x0000000000430000-0x00000000004B1000-memory.dmp

Filesize
516KB

Download
memory/1744-0-0x0000000000430000-0x00000000004B1000-memory.dmp

Filesize
516KB

Download
memory/1744-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2536-39-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download
memory/2536-19-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download
memory/2536-14-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2536-11-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download