urelas | 19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
Size

331KB
MD5

76d36293ff75d248d7731b54c3af6c2f
SHA1

ceaccd192b749e542db6dd670e23d97edea1cfc1
SHA256

19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd
SHA512

a2ccec4e795fd15e0b6e7c8dd083adbbbb4186d8e9a07375a76b0cdc41a9fcdfc5b7fe3d0c84058ee7cb2a757f76be76d24e13850d3ee8014eaa2dbee6de8af2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYO:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	soxeu.exe

Executes dropped EXE 2 IoCs

pid	Process
684	soxeu.exe
2212	kexey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kexey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soxeu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe
2212	kexey.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 684	1556	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	90
PID 1556 wrote to memory of 684	1556	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	90
PID 1556 wrote to memory of 684	1556	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	90
PID 1556 wrote to memory of 3892	1556	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	91
PID 1556 wrote to memory of 3892	1556	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	91
PID 1556 wrote to memory of 3892	1556	19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe	91
PID 684 wrote to memory of 2212	684	soxeu.exe	108
PID 684 wrote to memory of 2212	684	soxeu.exe	108
PID 684 wrote to memory of 2212	684	soxeu.exe	108

C:\Users\Admin\AppData\Local\Temp\19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe
"C:\Users\Admin\AppData\Local\Temp\19f35b3953febd33ae91dffbe15fdd5644347ded263be7db099b66bc869ce7cd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\soxeu.exe
  "C:\Users\Admin\AppData\Local\Temp\soxeu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\kexey.exe
    "C:\Users\Admin\AppData\Local\Temp\kexey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
88848f355d4b18a9f30b5c4b46dbbd66

SHA1
3142afcaba6bee37282ecfd847133ae39eca38a9

SHA256
266a75325897c9960293b1b96672f1239df595ff3b0596ac2f7ab77dc494b4f3

SHA512
7bfb79b8362b6b9337fd1e53277cea19de70fe057f2044297f8245144453bd656129e206d2e7fc0e7f1ca5cb5b556b8674863767ed350b5a27c1d6e0adab3a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3d0b6c6c011ffb24398aa53b94d1c432

SHA1
c6c5b0c52475ae8a0658aac5368fa5f073f573b3

SHA256
9783f17626ab9cb2214914e65d6445b53b65c9406b6e88d22620e5f4017f66d7

SHA512
038c96dca6ea96bbeb9c07249355e6afbd7f019b68df3598b6f39df44ef47bb8714c51cc3b8b57950b4e7fab9a8ee94f35c2dc1b373572c0b6e6a6d72ddae555

Download Submit
C:\Users\Admin\AppData\Local\Temp\kexey.exe

Filesize
172KB

MD5
7eede315750930a1bd0c20cbd96fdf94

SHA1
a8b66a6742ce467f7794162d8a7291d7e353e231

SHA256
87bd9a6c9df46ae2a57a8fdd0b9a0a8d542302934b0a35cdc276b66d7f22b72a

SHA512
d3f149e6f5d02fc3f8294a5c250c3ad57474b883cb878f3120d8255bd8712d58fef89b51f885f6d5b8f2151459d89acd39fb913c3171ad5addd3afcdefcff9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\soxeu.exe

Filesize
331KB

MD5
3a9a441bbc67688d46ef649eea6e1a9d

SHA1
4588f73237b347d505ac06710930b0ca7c66c48e

SHA256
9ed54cd3ead602e762c4e2b6ac1f771e2b709bb08508eaea89cc9d8014e13b3b

SHA512
48ac07ca5bab120667e09401137c27bba49cc9f5cb8ced570042e32a43d549ff95ef11a71922c00b1f61fda9682c1f9eb034577b7a04d5e03d8996b6b0136489

Download Submit
memory/684-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/684-44-0x0000000000940000-0x00000000009C1000-memory.dmp

Filesize
516KB

Download
memory/684-14-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/684-13-0x0000000000940000-0x00000000009C1000-memory.dmp

Filesize
516KB

Download
memory/684-20-0x0000000000940000-0x00000000009C1000-memory.dmp

Filesize
516KB

Download
memory/1556-17-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/1556-0-0x0000000000320000-0x00000000003A1000-memory.dmp

Filesize
516KB

Download
memory/1556-1-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2212-37-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2212-42-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2212-39-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2212-46-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2212-47-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2212-48-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2212-49-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2212-50-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download