urelas | d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
Size

332KB
MD5

b8017c01f42eb5dc5abf267902d2168b
SHA1

4966c9e8caf87d844cdc8174a9d17f5865703042
SHA256

d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8
SHA512

d5f64d8653189f87a8d31a63ebc68d80a2d9b47686c8eab14dd440b64d4427cb4cb664ce5eb275381e8b28fc1f7bbe32998ffe5942ff7cee5241dfd7bc9a0d67
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVQ:vHW138/iXWlK885rKlGSekcj66ciEQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dywut.exe

Executes dropped EXE 2 IoCs

pid	Process
4216	dywut.exe
3492	sunet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sunet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dywut.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe
3492	sunet.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 4216	1124	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	90
PID 1124 wrote to memory of 4216	1124	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	90
PID 1124 wrote to memory of 4216	1124	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	90
PID 1124 wrote to memory of 2284	1124	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	91
PID 1124 wrote to memory of 2284	1124	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	91
PID 1124 wrote to memory of 2284	1124	d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe	91
PID 4216 wrote to memory of 3492	4216	dywut.exe	108
PID 4216 wrote to memory of 3492	4216	dywut.exe	108
PID 4216 wrote to memory of 3492	4216	dywut.exe	108

C:\Users\Admin\AppData\Local\Temp\d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe
"C:\Users\Admin\AppData\Local\Temp\d4d0f1663b460484e3a947f9d7cee4723b0c1f92f95ead0d909c231b2068d2b8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\dywut.exe
  "C:\Users\Admin\AppData\Local\Temp\dywut.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\sunet.exe
    "C:\Users\Admin\AppData\Local\Temp\sunet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
97ac3213777bb973b4a206e67455a7e3

SHA1
f20da8a66d33439a1d4c85ab872d70f97ed4c8bb

SHA256
a3273afa5970391d71c2328123e5daa4e4f0bf348036b2534b6d92a9bf87ec9b

SHA512
4ff2ea54706d3c9ab14f5fcd2ba7299fc7763a605436ba0c83a9f381d49e9f7e99685a744565970477b24d9cc92fd92a274de859a9d3c5a5df9cdc14cb0f20e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dywut.exe

Filesize
332KB

MD5
014d6e4191bf3783c500bd0e5c37ae83

SHA1
25ee3e80f082c17cfe484d110c822d3334b7394c

SHA256
521b226c775fd839bb8d8fb05fabf1962067643ca63580db3aa3c17afddbf5f1

SHA512
449f8428f760cd390abf416ce1a6397ddec2414492f2722d9f4afabff9596f44ac0378f44f6679bd61bf4c4d94d29317ca32f22b55faf80399d92b0b5df610c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7b2e9b68eb5742db76ebc45b99509c69

SHA1
9f655ee8392c919f3cb091b7cbbafc259b10a4b7

SHA256
7fd140c8eddb6ff8d651cc81503e210e8dddf2595e1e2df222a6460f2f309ae9

SHA512
88bd9c0080ba51347ccde73294a6f18c4ca397529eac35a291c65c5e1057aa58f9d3986cfac84d3614f304d2baea1c6964a3b4b3f8d605f8f913804b474d2aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sunet.exe

Filesize
172KB

MD5
4b042afb1811a23cf5d2ac19d2a8a629

SHA1
3b66adbabd00ca114cd65977846f83f001852721

SHA256
172085ad1fef94c344bf7582a0858b10675bfad690d18602e0f849f7315fc6d6

SHA512
59bd0e211276beb01a33d75e48da81a54d39102490d173e6af2c98a566d5a35c6b735b5c6dd8b74b366af4b6476aeaca0aac1f0c6857f924d35da20d760ea393

Download Submit
memory/1124-17-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/1124-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1124-0-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/3492-48-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3492-42-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3492-51-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3492-50-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3492-39-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/3492-49-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3492-38-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3492-47-0x00000000004D0000-0x0000000000569000-memory.dmp

Filesize
612KB

Download
memory/3492-46-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/4216-21-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4216-14-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4216-41-0x00000000005C0000-0x0000000000641000-memory.dmp

Filesize
516KB

Download
memory/4216-11-0x00000000005C0000-0x0000000000641000-memory.dmp

Filesize
516KB

Download
memory/4216-20-0x00000000005C0000-0x0000000000641000-memory.dmp

Filesize
516KB

Download