urelas | 62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Size

333KB
MD5

a08624aa8369a8873d683590fb3f0fed
SHA1

75cb37084b41f2cfc3d9e4ec990a19631375e2b4
SHA256

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778
SHA512

7431757670d2359ff3fe8a4ca2319ca09e1f3fafb769e3e6c91fdd47d69e978362fcea45995723435fd13bcc3b133a6300cba392659d6a068487d66023639088
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9P:vHW138/iXWlK885rKlGSekcj66ciWP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exezioff.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	zioff.exe

Executes dropped EXE 2 IoCs

Processes:

zioff.exevojud.exe

pid	Process
3292	zioff.exe
1252	vojud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exezioff.execmd.exevojud.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zioff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vojud.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vojud.exe

pid	Process
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe
1252	vojud.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exezioff.exe

description	pid	Process	procid_target
PID 3784 wrote to memory of 3292	3784	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	89
PID 3784 wrote to memory of 3292	3784	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	89
PID 3784 wrote to memory of 3292	3784	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	89
PID 3784 wrote to memory of 1660	3784	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	90
PID 3784 wrote to memory of 1660	3784	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	90
PID 3784 wrote to memory of 1660	3784	62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe	90
PID 3292 wrote to memory of 1252	3292	zioff.exe	101
PID 3292 wrote to memory of 1252	3292	zioff.exe	101
PID 3292 wrote to memory of 1252	3292	zioff.exe	101

C:\Users\Admin\AppData\Local\Temp\62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe
"C:\Users\Admin\AppData\Local\Temp\62330b9026c956b6580fd086b2171bf50887fe298259ac0b7e53d9e019f59778.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\zioff.exe
  "C:\Users\Admin\AppData\Local\Temp\zioff.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\vojud.exe
    "C:\Users\Admin\AppData\Local\Temp\vojud.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
ea2c3ad2177becefa293d8bff004fd8d

SHA1
84685598abf20b1813b4c475d5053b1969980504

SHA256
d8a231e7959ce5232dfbb8c2501c5fbdfbf669a2226e9a3a8eec2ee7cf6d0dd7

SHA512
5b27e8434474413af8ec35ee473cde03c9084420956861f22c81350ec572f70b6809ebbae2e7ccfdf2431149df730e9564f8e2456d72665fb364b86859c04ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c0a2ca34ce0c9cd734ff07fba55de602

SHA1
10130be9e32743411a2d484659b3078228bb3447

SHA256
948c0247e55124c97779270680ca1923c74e29d931ec416127949a2e25b32cc5

SHA512
6b9a54007ee336bc0109a63f35b5a8c9dbea342eac2e1933e24c6ec04abd7f8dc1ae4d931fa1f95c008c41a051f6f634387afdebbb1f239a79b46f067b330ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vojud.exe

Filesize
172KB

MD5
94b25711ee58f3d2023ed396dae21818

SHA1
aa927fa9e0e319db1d6d0aaa5633a2ee5f75b487

SHA256
acabbb4a023d57fa2218f17c36d74561570ab1d6aa0abd4e93505afd2bd94ac8

SHA512
60efddc1c9546577d108dafade2932e231c74b2b52668c4719ae77a1881d6ff88121c581e785821f8d55bfbd88024230540673e8ca04569d2853733969a3cad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zioff.exe

Filesize
333KB

MD5
8080620039bcbead16f99d49663acb7c

SHA1
1d099785fde7bc00a9331a532812ed723417db27

SHA256
e3a4f4d4a31e773988627c21d36cd30da346e6cecb826a0740149b7390fb6eef

SHA512
ede198b60c431e306c953cc731e14f78a2093e118de69a3e99e96163f0343e6da97bf7ecb90d4c5d0c125866248450e17d93c590e296054e3e811f6967bff581

Download Submit
memory/1252-36-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1252-48-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1252-47-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1252-46-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1252-45-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1252-44-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1252-40-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/1252-39-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/3292-19-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/3292-42-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/3292-12-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/3292-13-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3784-0-0x0000000000480000-0x0000000000501000-memory.dmp

Filesize
516KB

Download
memory/3784-16-0x0000000000480000-0x0000000000501000-memory.dmp

Filesize
516KB

Download
memory/3784-1-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download