urelas | 5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Size

331KB
MD5

2f0ef1635939f533b6748635655ec64a
SHA1

d11dea3716c70cc1d3958280a4b5093670fe4a87
SHA256

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893
SHA512

cb3d74d99dd0c5a2599ee836a1155ae7485483e6a4f5ebdab90e1f2dad917da66187ce2a9190659e7e9f18f4b6063d1d09f0e1f49aacbd5fa1329b081e05e0e6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVn:vHW138/iXWlK885rKlGSekcj66ciEn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exeargez.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	argez.exe

Executes dropped EXE 2 IoCs

Processes:

argez.exemoqoz.exe

pid	Process
1604	argez.exe
1668	moqoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exeargez.execmd.exemoqoz.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	argez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moqoz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

moqoz.exe

pid	Process
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe
1668	moqoz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exeargez.exe

description	pid	Process	procid_target
PID 3380 wrote to memory of 1604	3380	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	88
PID 3380 wrote to memory of 1604	3380	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	88
PID 3380 wrote to memory of 1604	3380	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	88
PID 3380 wrote to memory of 1824	3380	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	89
PID 3380 wrote to memory of 1824	3380	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	89
PID 3380 wrote to memory of 1824	3380	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	89
PID 1604 wrote to memory of 1668	1604	argez.exe	102
PID 1604 wrote to memory of 1668	1604	argez.exe	102
PID 1604 wrote to memory of 1668	1604	argez.exe	102

C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
"C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\argez.exe
  "C:\Users\Admin\AppData\Local\Temp\argez.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\moqoz.exe
    "C:\Users\Admin\AppData\Local\Temp\moqoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c22be246c83b4a82251d635b9db17513

SHA1
777b281a4961eadfb262683d1bc1831f6dba5e6a

SHA256
c82836682e0e4cddb5d93844038ef76e48d0568a0aa64591e274ab76d8cf23d4

SHA512
2c2748c0d4bd8ab8cb0049fc18acdc8fa21e9576e88bf54e106ced12417f799d1d475d0762c6084009a0275cadbd05ba40b55d5cdb08122642d67475aeb9de32

Download Submit
C:\Users\Admin\AppData\Local\Temp\argez.exe

Filesize
331KB

MD5
8c8c01d582d3debbec68a45ab2fc8dc2

SHA1
a43d5232ee868a6770fa4fd87e099fbed7904e3b

SHA256
a784c519a56749aba1ef9e7db6593fc5369ab0658712e990e8e254945f97eb4e

SHA512
f06f97baa782356e65e36277a100b4b5b3cad79840ab4f8faa425905aabbfd5db2216994709278d375504701aad3a3e426429194cd47fb7627e081022655179d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
352d4b1915d5e0c9a78f2ce36da2a2f7

SHA1
29fcc571e5b62c07e7365d5515692592d05f72ef

SHA256
1437c5d3161ea5769daeaa32308778c3caa28348c6a0b487459819dbfa442810

SHA512
093ff067d5ce5aa82bdec1b6341e6ee4dc254b42becf1983ee675488db4cd577580df1d5cdc5c38866bb4c39407c9181d1d02979ced6248a63558f21b9c8cafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqoz.exe

Filesize
172KB

MD5
1b68867902171581d5f2b3fd8f1540af

SHA1
99145a9e33f15172b56488e59d955a3b522f682b

SHA256
0923c3b12e5298cb5822becfabbf90bb532964fd0f573393743436aa0bde49d6

SHA512
6fd4b1e91f62139965430f8de487a5d4c8dea1de36315a4e6b78d15e381e132fc8b8336664ca037f38a8eb32b05a496ecea6bd166857c7f815bd2993c3fbfd91

Download Submit
memory/1604-21-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1604-41-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/1604-14-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1604-11-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/1604-20-0x00000000003E0000-0x0000000000461000-memory.dmp

Filesize
516KB

Download
memory/1668-47-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/1668-39-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/1668-38-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1668-42-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1668-46-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1668-48-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1668-49-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1668-50-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1668-51-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/3380-17-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/3380-1-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3380-0-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download