urelas | fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Size

324KB
MD5

ccb3964dd622fcc600a569de60895175
SHA1

ae99f1714cfe9c8811dbd0d6fa28d55189017d75
SHA256

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de
SHA512

af877883057fee997f0da3f0cd229923ab221e6841b84062b5dadf08f42e4d00dd5a1de42a095d4bc51d9a3ecbd9041e952d55a8eb8e0d208fe5dfc563aaa35b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	potaz.exe

Executes dropped EXE 2 IoCs

pid	Process
4636	potaz.exe
2944	revel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	potaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	revel.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe
2944	revel.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4636	3988	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	87
PID 3988 wrote to memory of 4636	3988	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	87
PID 3988 wrote to memory of 4636	3988	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	87
PID 3988 wrote to memory of 952	3988	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	88
PID 3988 wrote to memory of 952	3988	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	88
PID 3988 wrote to memory of 952	3988	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	88
PID 4636 wrote to memory of 2944	4636	potaz.exe	108
PID 4636 wrote to memory of 2944	4636	potaz.exe	108
PID 4636 wrote to memory of 2944	4636	potaz.exe	108

C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
"C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\potaz.exe
  "C:\Users\Admin\AppData\Local\Temp\potaz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\revel.exe
    "C:\Users\Admin\AppData\Local\Temp\revel.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e577ae7de95af5cbc09c3b55681bbc2

SHA1
417fdb014059cab8357a87f8b761cb0d3adc083b

SHA256
df822d01c41a8c4a5177f77c5702d4018863179d071defafc98c400a547f252e

SHA512
2fdb0ed8c97fecfa63576e7f2ce7628302044cf0438d783265bf772fe2730bebcb833f51bb029126864a8171644f0069b1ede2e5a58507449d84629b87f0d691

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1f651d959be06c0d96d12ce9fc241e2b

SHA1
225fad230a6a3f0c3c5cce5a2a52728a109f4b60

SHA256
6245c083ebc5d5b1b087b731a5ee32373a4b659944a65b51e58c94302b3274c7

SHA512
ccbe5d48a0422ad8577d9d77d9221a5c966fc289a96b91d19c21cad5bdda4e5096e78b8abe26e8c6b3ba9dcc6ac8222bf9d7761849182b12ab525694a34db2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\potaz.exe

Filesize
324KB

MD5
a9a9a3faaebb8c1af967f7b1e3d8781d

SHA1
2bd9cc71fac8586725184eb9864fc54eca1aab18

SHA256
ebebd4c14adfa25d4ccfd542020f6b32f2ec15884271b1daa0d6c5dd2c749dce

SHA512
e6925f0ccf4e2052b57944c94912e740f6b6e347043d21a0fd42f128bd33c3776f10e4eb9423d31561fe7c4c24166781f788670304ef144b3393f2b1df3f9cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\revel.exe

Filesize
172KB

MD5
98aef40fb5c6e24847425f5c01ca03cf

SHA1
fb7e1033e83fe5c90aea3a6df040c42315f43ad1

SHA256
bd2b0f27071cb73bf56000ccb5f7e9747ebae347e592f367e23af78ef93f4aab

SHA512
d1ff710977ce67dab17b682241febb1bd1ce9c3edc6dabd7cb604c491228e64383c8d675a93a6fc04ad995a91b22c2af2eb7d21ebda56685a33659dd4d3640b5

Download Submit
memory/2944-46-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2944-47-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/2944-51-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/2944-50-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/2944-49-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/2944-39-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2944-38-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/2944-48-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/2944-40-0x0000000000470000-0x0000000000509000-memory.dmp

Filesize
612KB

Download
memory/3988-17-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/3988-1-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3988-0-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/4636-20-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/4636-44-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/4636-21-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4636-14-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4636-11-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download