urelas | 5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Size

331KB
MD5

2f0ef1635939f533b6748635655ec64a
SHA1

d11dea3716c70cc1d3958280a4b5093670fe4a87
SHA256

5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893
SHA512

cb3d74d99dd0c5a2599ee836a1155ae7485483e6a4f5ebdab90e1f2dad917da66187ce2a9190659e7e9f18f4b6063d1d09f0e1f49aacbd5fa1329b081e05e0e6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVn:vHW138/iXWlK885rKlGSekcj66ciEn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	epvae.exe

Executes dropped EXE 2 IoCs

pid	Process
2908	epvae.exe
3360	imyjl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epvae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imyjl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe
3360	imyjl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 2908	3960	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	88
PID 3960 wrote to memory of 2908	3960	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	88
PID 3960 wrote to memory of 2908	3960	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	88
PID 3960 wrote to memory of 2116	3960	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	89
PID 3960 wrote to memory of 2116	3960	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	89
PID 3960 wrote to memory of 2116	3960	5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe	89
PID 2908 wrote to memory of 3360	2908	epvae.exe	110
PID 2908 wrote to memory of 3360	2908	epvae.exe	110
PID 2908 wrote to memory of 3360	2908	epvae.exe	110

C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe
"C:\Users\Admin\AppData\Local\Temp\5b5541c8a94f98e38ebac66eb5009d36eea569c473be2b2396fe2489e8016893.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Users\Admin\AppData\Local\Temp\epvae.exe
  "C:\Users\Admin\AppData\Local\Temp\epvae.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\imyjl.exe
    "C:\Users\Admin\AppData\Local\Temp\imyjl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c22be246c83b4a82251d635b9db17513

SHA1
777b281a4961eadfb262683d1bc1831f6dba5e6a

SHA256
c82836682e0e4cddb5d93844038ef76e48d0568a0aa64591e274ab76d8cf23d4

SHA512
2c2748c0d4bd8ab8cb0049fc18acdc8fa21e9576e88bf54e106ced12417f799d1d475d0762c6084009a0275cadbd05ba40b55d5cdb08122642d67475aeb9de32

Download Submit
C:\Users\Admin\AppData\Local\Temp\epvae.exe

Filesize
331KB

MD5
86d28cd94045a56f1cd807c9bd8c4281

SHA1
658476cce64b383b45743a71b6ff40ee2bb31af9

SHA256
481f8e105090bf7e002f80be5a4bf0c646e0e474b116a5c46b96bb0ff23467af

SHA512
919bf3e7e4fa822e1633be759a26a01e578dced293cdda4341372be163bb3707f8001cffd24ec932f31717a70dcb95bc25fb5c88cca4c50ddfc822822b5eba4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
57d46f25b0e993467aa6848e2c698964

SHA1
c3058e191b848945611aeeb41c15e2ec42344fa4

SHA256
1512d9a4c24f81e47509bca065b33f728fa9701ea6912263ff98a7918038f2cd

SHA512
ad537fd580518bb29ef7b82a66637597a7411eef9eca440c69cdfee0d4a44a279722885b47e66b7e4bdb5a389fce0ebad0957f3352f6e683788f76ce40aa637a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imyjl.exe

Filesize
172KB

MD5
fbbed57c224ffa4a763d931427d9562d

SHA1
1dc721452bd2093edd8f3f7dc9c7812717181c95

SHA256
ba3d8a2988cc1a89183831ee47f59bba0d02e7d51ba2e89785f653bcdda8bf2f

SHA512
58bf4ddcfc52a1498c80bf732d3899a0b5b7836a192d1fd588a7e291592a0189ad4391befdd1498f9434eaf7ce7a28244f3a7066336133aeb04a4bc5de6a9a96

Download Submit
memory/2908-20-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2908-43-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2908-14-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2908-13-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/3360-45-0x0000000000CB0000-0x0000000000D49000-memory.dmp

Filesize
612KB

Download
memory/3360-38-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/3360-39-0x0000000000CB0000-0x0000000000D49000-memory.dmp

Filesize
612KB

Download
memory/3360-37-0x0000000000CB0000-0x0000000000D49000-memory.dmp

Filesize
612KB

Download
memory/3360-46-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/3360-47-0x0000000000CB0000-0x0000000000D49000-memory.dmp

Filesize
612KB

Download
memory/3360-48-0x0000000000CB0000-0x0000000000D49000-memory.dmp

Filesize
612KB

Download
memory/3360-49-0x0000000000CB0000-0x0000000000D49000-memory.dmp

Filesize
612KB

Download
memory/3360-50-0x0000000000CB0000-0x0000000000D49000-memory.dmp

Filesize
612KB

Download
memory/3960-17-0x00000000005C0000-0x0000000000641000-memory.dmp

Filesize
516KB

Download
memory/3960-1-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3960-0-0x00000000005C0000-0x0000000000641000-memory.dmp

Filesize
516KB

Download