urelas | 31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Size

330KB
MD5

574b21767e108012461c55b68fa4859a
SHA1

87bc2c0d8a0bc4a557eab7c655af9a25cdd3f509
SHA256

31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae
SHA512

0d56f0ec36795efdff4dbaf7bddbfc3770a130f9c96f25738d5be140b7bb25020d3b9eb62d3e2f4355bc5447fbbfda50ed6f53497892bccba75408cd04947fee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	hivah.exe

Executes dropped EXE 2 IoCs

pid	Process
5004	hivah.exe
1616	eboba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eboba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hivah.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe
1616	eboba.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 5004	4668	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	89
PID 4668 wrote to memory of 5004	4668	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	89
PID 4668 wrote to memory of 5004	4668	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	89
PID 4668 wrote to memory of 952	4668	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	90
PID 4668 wrote to memory of 952	4668	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	90
PID 4668 wrote to memory of 952	4668	31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe	90
PID 5004 wrote to memory of 1616	5004	hivah.exe	101
PID 5004 wrote to memory of 1616	5004	hivah.exe	101
PID 5004 wrote to memory of 1616	5004	hivah.exe	101

C:\Users\Admin\AppData\Local\Temp\31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe
"C:\Users\Admin\AppData\Local\Temp\31a7a6a76277be46d2cf9fca4d7bc90fefeb41eadab5486d1599a3044df631ae.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\hivah.exe
  "C:\Users\Admin\AppData\Local\Temp\hivah.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\eboba.exe
    "C:\Users\Admin\AppData\Local\Temp\eboba.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6790c30365b383b27826bed40956de20

SHA1
ab049a238e52322795aeab9c00328f2d69be60f9

SHA256
b8f9042e725b4b36536392412402f49ca2a8e496e2663cd86e29e1b7f989c446

SHA512
94f7ddc9b4c77ce0dd2e2e40c0e6fda5a9598cfc1fb2630d016b4cb3b879eec80a5a8832843fce53b0ff0282fdafa734d1675e3de49b7b6bd9fd590a06bf3646

Download Submit
C:\Users\Admin\AppData\Local\Temp\eboba.exe

Filesize
172KB

MD5
452e55d13c389171e16f264478ea89a1

SHA1
0ae7938bae5a3bffaa82bfabbb7e2c4da0a0b42a

SHA256
c73d10975dac72fa85a75d31a9005a61ffcbce3b5f1332a933e3ccebd5fc2715

SHA512
dee749dc4c424f87416ba5d2f3160707c42a7e2e239e60ee7a8ac2ecef0ca14ac21831b36f8d8ee3a42d33196babf2f14eb0353d4737eff24559b735c37e5245

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b405ab13933e990923d9a6cf2c3c59ef

SHA1
1316c432a78f1d274e06777ee78600f15f15caf8

SHA256
71e7ffef4338578d35162dc55e702df9105331a0e6609d8b4e6699e4e033d9cc

SHA512
6eece7d02e041a0b457ca615241d92fd79ffb9eff2184a01886c7347157f0e33fa7f6b2f15d653773fadf9b27efd51712c77e478c04a5b1756f2550593e883b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hivah.exe

Filesize
330KB

MD5
f0f9a3c928b535703cff13b041951d8c

SHA1
4de9068dd8b42c0a95e2e03713958dddc18379c5

SHA256
d016034a93d684cff41a2f02a9d2ae943fe8daea45faf106450997a9f0092614

SHA512
ee4751934d6b1ace97a3fd640a285fffc89b88c3e1ee99591a069461d8e78fdfeb97e47bb00452b4d63517d2ad12ab3d8048998f4a3b391f1c068a64955f63cc

Download Submit
memory/1616-46-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1616-45-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/1616-50-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1616-49-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1616-48-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1616-47-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1616-38-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/1616-37-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1616-40-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/4668-17-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/4668-0-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/4668-1-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/5004-43-0x00000000004B0000-0x0000000000531000-memory.dmp

Filesize
516KB

Download
memory/5004-20-0x00000000004B0000-0x0000000000531000-memory.dmp

Filesize
516KB

Download
memory/5004-14-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/5004-13-0x00000000004B0000-0x0000000000531000-memory.dmp

Filesize
516KB

Download