urelas | 4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
Size

356KB
MD5

89280f71892759a8b5d330cbed1a6b9c
SHA1

94fc6560599b5020fb558500a094394a5c85af8c
SHA256

4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75
SHA512

fed9aaf4e187023a341fbb4e785105b436d6f5d6501fa31b2841c87f65b06c37260dff6608671316783ad8dad84e620e190b87e0bfa686a821ad178d0ec03118
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0h:MUyI6QmPPPqVsps

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lefyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	kyqoky.exe

Executes dropped EXE 3 IoCs

pid	Process
4564	lefyp.exe
776	kyqoky.exe
4500	apnea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apnea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lefyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyqoky.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe
4500	apnea.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4564	3296	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	84
PID 3296 wrote to memory of 4564	3296	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	84
PID 3296 wrote to memory of 4564	3296	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	84
PID 3296 wrote to memory of 4684	3296	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	85
PID 3296 wrote to memory of 4684	3296	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	85
PID 3296 wrote to memory of 4684	3296	4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe	85
PID 4564 wrote to memory of 776	4564	lefyp.exe	87
PID 4564 wrote to memory of 776	4564	lefyp.exe	87
PID 4564 wrote to memory of 776	4564	lefyp.exe	87
PID 776 wrote to memory of 4500	776	kyqoky.exe	103
PID 776 wrote to memory of 4500	776	kyqoky.exe	103
PID 776 wrote to memory of 4500	776	kyqoky.exe	103
PID 776 wrote to memory of 2196	776	kyqoky.exe	104
PID 776 wrote to memory of 2196	776	kyqoky.exe	104
PID 776 wrote to memory of 2196	776	kyqoky.exe	104

C:\Users\Admin\AppData\Local\Temp\4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe
"C:\Users\Admin\AppData\Local\Temp\4dd9cbea45573b466fea7b19445ee3cf60b300f5297f788a7ea8b3730b498a75.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Local\Temp\lefyp.exe
  "C:\Users\Admin\AppData\Local\Temp\lefyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\kyqoky.exe
    "C:\Users\Admin\AppData\Local\Temp\kyqoky.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\apnea.exe
      "C:\Users\Admin\AppData\Local\Temp\apnea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
fbda5501e0cc5d81f18db3e932f5f92d

SHA1
561a1409b02236a4a3b8fce97cc4269bf722b5d9

SHA256
f583f215cc4b75178c1b05bed17694223aaa494b6298dc48d5971b2bcf5194ce

SHA512
932edd3e01e7b9576f1e3a1e94988cec2cef0775938d4a6ba02dbb2f48dd1d869225e5a8236c5ba4896ffd03db1cfcba7d26ae95824ae41aac1bc34f5a81019b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
43b5e1b182ac03467b86aded3bc35ae7

SHA1
beab788562f4689e9f1d08089073326853990bfb

SHA256
d6f55602d33a59eff0bc28cad81fa87407e9e5c51c6fd707c9fb83e3df16f8fe

SHA512
25cc7e7c37877a841109d0b000808846696791d5af30e4909ab918f145b2b719b6de7388a7d893e211ffa635c62935311f3cea6628391abf3c71dbdfac428976

Download Submit
C:\Users\Admin\AppData\Local\Temp\apnea.exe

Filesize
107KB

MD5
41aa8b33d691ed6973ae8763a3d0f050

SHA1
c6a1b1358bb31d9cdb00fb8049d898941eaddb17

SHA256
3ef6bd1128777e6855a3817083630fec1a10576011e4c0ad6fa4e770eac3fc33

SHA512
059286cf9a8f0faeb0fe43801276611f2549367cab09d9fa1fa9a6c445ea5311109399556c07b85743a68289127d3a88ff986db824d5d908d95e0586be85c54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3ef0ce7055c6a3234dfa68c542b058c3

SHA1
77b43ebee240e525c24475e178d5efddef6e961f

SHA256
363232083ef63c024e04a5e664154cd3287a7aa1ffc0f2043aa089db12b8aabf

SHA512
bee2e8f3b8afac75ca9a97e613eae926acbd9e40ed8d86fa4c9a3b47b82113035e34dbbddb559f6e8e662178d4346825100882b8448393f92c4aa16c38380ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lefyp.exe

Filesize
356KB

MD5
299fdb71c44a66ab1925111075be01a2

SHA1
d188a75d2b1f7fad36121dbc4320e6b29358ec68

SHA256
3fbad85b20f5bffa05059fa864cc6293437db231639ff4820c8ea3f015ed3c6e

SHA512
207a4dc415e7ad86d0a68f4d354086785c38407c894f581f23debf422c5b78c286d0319a383bc92c8c4561e35eadb5a0845e7f55e07204f0c31735e8241ea6ce

Download Submit
memory/776-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/776-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3296-15-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3296-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4500-36-0x00000000009F0000-0x0000000000A75000-memory.dmp

Filesize
532KB

Download
memory/4500-41-0x00000000009F0000-0x0000000000A75000-memory.dmp

Filesize
532KB

Download
memory/4500-42-0x00000000009F0000-0x0000000000A75000-memory.dmp

Filesize
532KB

Download
memory/4500-43-0x00000000009F0000-0x0000000000A75000-memory.dmp

Filesize
532KB

Download
memory/4500-44-0x00000000009F0000-0x0000000000A75000-memory.dmp

Filesize
532KB

Download
memory/4500-45-0x00000000009F0000-0x0000000000A75000-memory.dmp

Filesize
532KB

Download
memory/4500-46-0x00000000009F0000-0x0000000000A75000-memory.dmp

Filesize
532KB

Download
memory/4564-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download