urelas | fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Size

324KB
MD5

ccb3964dd622fcc600a569de60895175
SHA1

ae99f1714cfe9c8811dbd0d6fa28d55189017d75
SHA256

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de
SHA512

af877883057fee997f0da3f0cd229923ab221e6841b84062b5dadf08f42e4d00dd5a1de42a095d4bc51d9a3ecbd9041e952d55a8eb8e0d208fe5dfc563aaa35b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cazip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe

Executes dropped EXE 2 IoCs

pid	Process
3560	cazip.exe
3332	wolit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cazip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wolit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe
3332	wolit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3560	2312	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	90
PID 2312 wrote to memory of 3560	2312	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	90
PID 2312 wrote to memory of 3560	2312	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	90
PID 2312 wrote to memory of 3708	2312	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	91
PID 2312 wrote to memory of 3708	2312	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	91
PID 2312 wrote to memory of 3708	2312	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	91
PID 3560 wrote to memory of 3332	3560	cazip.exe	108
PID 3560 wrote to memory of 3332	3560	cazip.exe	108
PID 3560 wrote to memory of 3332	3560	cazip.exe	108

C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
"C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\cazip.exe
  "C:\Users\Admin\AppData\Local\Temp\cazip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\wolit.exe
    "C:\Users\Admin\AppData\Local\Temp\wolit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e577ae7de95af5cbc09c3b55681bbc2

SHA1
417fdb014059cab8357a87f8b761cb0d3adc083b

SHA256
df822d01c41a8c4a5177f77c5702d4018863179d071defafc98c400a547f252e

SHA512
2fdb0ed8c97fecfa63576e7f2ce7628302044cf0438d783265bf772fe2730bebcb833f51bb029126864a8171644f0069b1ede2e5a58507449d84629b87f0d691

Download Submit
C:\Users\Admin\AppData\Local\Temp\cazip.exe

Filesize
324KB

MD5
58464a6942abbf08c45db64a9493f351

SHA1
6c340aa0b4533516f13c9326636be35bd0eb17f3

SHA256
06ff54d39d84edabb1fcbaab877b4854c0bb4a14a5b369ce9ac9a18de000a32b

SHA512
639cf383ba54633c9094eeb466d0dac4c2dd0c6062a94c9c2593bb1d0ac4e5e44d40add162e03b7c589e1c1bc950008331387c13db62c687b358746cce4d0a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8af158654753f3c91b49b74b4a2f5b86

SHA1
0d19b3aa7dd4069ecf6103e6c8d4a328deaab8f6

SHA256
99bf7e8231d2c2db9ad689192e1f0f524bebba70539ad424465fbb33bbb37b9a

SHA512
ae6dd51d0b7ef68c1abc3ccd79533a08fcdc20db6b14f08230f9de82d65dfa03aecf9eed1d9168a617a0861efafff15ea29d072a8e67986cec2ae9bf8a43bbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wolit.exe

Filesize
172KB

MD5
4b042afb1811a23cf5d2ac19d2a8a629

SHA1
3b66adbabd00ca114cd65977846f83f001852721

SHA256
172085ad1fef94c344bf7582a0858b10675bfad690d18602e0f849f7315fc6d6

SHA512
59bd0e211276beb01a33d75e48da81a54d39102490d173e6af2c98a566d5a35c6b735b5c6dd8b74b366af4b6476aeaca0aac1f0c6857f924d35da20d760ea393

Download Submit
memory/2312-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2312-0-0x0000000000020000-0x00000000000A1000-memory.dmp

Filesize
516KB

Download
memory/2312-17-0x0000000000020000-0x00000000000A1000-memory.dmp

Filesize
516KB

Download
memory/3332-40-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3332-37-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3332-41-0x0000000000970000-0x0000000000972000-memory.dmp

Filesize
8KB

Download
memory/3332-45-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3332-46-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3332-47-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3332-48-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3332-49-0x0000000000DC0000-0x0000000000E59000-memory.dmp

Filesize
612KB

Download
memory/3560-20-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/3560-11-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/3560-14-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/3560-43-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download