urelas | 31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Size

330KB
MD5

574b21767e108012461c55b68fa4859a
SHA1

87bc2c0d8a0bc4a557eab7c655af9a25cdd3f509
SHA256

31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae
SHA512

0d56f0ec36795efdff4dbaf7bddbfc3770a130f9c96f25738d5be140b7bb25020d3b9eb62d3e2f4355bc5447fbbfda50ed6f53497892bccba75408cd04947fee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	zaixs.exe

Executes dropped EXE 2 IoCs

pid	Process
1652	zaixs.exe
2700	jamoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jamoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zaixs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe
2700	jamoz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1652	3712	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	89
PID 3712 wrote to memory of 1652	3712	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	89
PID 3712 wrote to memory of 1652	3712	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	89
PID 3712 wrote to memory of 3676	3712	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	90
PID 3712 wrote to memory of 3676	3712	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	90
PID 3712 wrote to memory of 3676	3712	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	90
PID 1652 wrote to memory of 2700	1652	zaixs.exe	108
PID 1652 wrote to memory of 2700	1652	zaixs.exe	108
PID 1652 wrote to memory of 2700	1652	zaixs.exe	108

C:\Users\Admin\AppData\Local\Temp\31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
"C:\Users\Admin\AppData\Local\Temp\31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\zaixs.exe
  "C:\Users\Admin\AppData\Local\Temp\zaixs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\jamoz.exe
    "C:\Users\Admin\AppData\Local\Temp\jamoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6790c30365b383b27826bed40956de20

SHA1
ab049a238e52322795aeab9c00328f2d69be60f9

SHA256
b8f9042e725b4b36536392412402f49ca2a8e496e2663cd86e29e1b7f989c446

SHA512
94f7ddc9b4c77ce0dd2e2e40c0e6fda5a9598cfc1fb2630d016b4cb3b879eec80a5a8832843fce53b0ff0282fdafa734d1675e3de49b7b6bd9fd590a06bf3646

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
98aeb95f0497744a258772be9812f38a

SHA1
4ea8c9da7e3a51bb1a90784696f7fc9e1e121d51

SHA256
c908e01f63fbfa5244a9eda9bde4041172ec8beaeca670a84ca3e3d36d3a3316

SHA512
463ae31b215cffa4cf369ad7b120454e583cf35f67dae43a7209d776c68992f6bf95b209a44f88febeb0e87b9f73a80cb58b2f232e026fa518d596d06d909a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamoz.exe

Filesize
172KB

MD5
b512874020174ef4aa8afdbe03449a7e

SHA1
f50db2ef283fa5a89c815fa1bfe73e881903526d

SHA256
9cfd642ec33dd3f84479f4e69a01ad2a36d1e7bfd3ef2560c850d108e0bda26e

SHA512
71ae9be37d603293fc79953f94ef7c6c26e7f35ad1cefe5b34353338698ed15c678ff0229178c54fc4e7be188cfffc73e687650618a2bdad7450e1dff3055788

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaixs.exe

Filesize
330KB

MD5
824248eb924f2c2ada4628adcc131fb8

SHA1
ada5b00f7ed15e1e1198259370fb4320d9ff3be0

SHA256
afe3e361321ad8f626cba0ecfbda63c4a25751b52b340145ca1e34ab8f25f73c

SHA512
c76a8ea43c3deb7433b426307baa5e42d136b5f52383e5c2188b6e854b75c84283076d2aa8c798f6d51d955774872f945d02c28088d48eaecca84df43d83e497

Download Submit
memory/1652-21-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1652-39-0x0000000000370000-0x00000000003F1000-memory.dmp

Filesize
516KB

Download
memory/1652-14-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1652-13-0x0000000000370000-0x00000000003F1000-memory.dmp

Filesize
516KB

Download
memory/1652-20-0x0000000000370000-0x00000000003F1000-memory.dmp

Filesize
516KB

Download
memory/2700-46-0x0000000000670000-0x0000000000672000-memory.dmp

Filesize
8KB

Download
memory/2700-42-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/2700-41-0x0000000000670000-0x0000000000672000-memory.dmp

Filesize
8KB

Download
memory/2700-40-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/2700-47-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/2700-48-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/2700-49-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/2700-50-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/2700-51-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/3712-17-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/3712-1-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3712-0-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download