urelas | 764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
Size

331KB
MD5

4b7a708dc78ddafa0a62a30396061370
SHA1

6b7d06d60e77a498ce19ce17e0a3db71ad94f403
SHA256

764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38
SHA512

df62eb35d1555407f2c556dc66b8393e2d2061f4580c81eed9ccba0399bab171b306c8a66fc49d4481f23205de55e250fd4014724deb4437693a1206d9b2bdcb
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66civ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exeizcej.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	izcej.exe

Executes dropped EXE 2 IoCs

Processes:

izcej.exefipys.exe

pid	Process
2356	izcej.exe
2228	fipys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fipys.exe764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exeizcej.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fipys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izcej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fipys.exe

pid	Process
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe
2228	fipys.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exeizcej.exe

description	pid	Process	procid_target
PID 1940 wrote to memory of 2356	1940	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	87
PID 1940 wrote to memory of 2356	1940	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	87
PID 1940 wrote to memory of 2356	1940	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	87
PID 1940 wrote to memory of 2320	1940	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	88
PID 1940 wrote to memory of 2320	1940	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	88
PID 1940 wrote to memory of 2320	1940	764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe	88
PID 2356 wrote to memory of 2228	2356	izcej.exe	108
PID 2356 wrote to memory of 2228	2356	izcej.exe	108
PID 2356 wrote to memory of 2228	2356	izcej.exe	108

C:\Users\Admin\AppData\Local\Temp\764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe
"C:\Users\Admin\AppData\Local\Temp\764424a0386baa1963ff226c1de9013bdb13ede6f0ac4bd8202ece9b423e9a38.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\izcej.exe
  "C:\Users\Admin\AppData\Local\Temp\izcej.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\fipys.exe
    "C:\Users\Admin\AppData\Local\Temp\fipys.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
bcbda404940990d88452be524489fd3b

SHA1
9277bd3a72d610f579c9a613e6da7ab20b69c332

SHA256
6c7041a9420f4be939bcfba6eeb86d61f13dc4d69312a561356d63deb502a9cc

SHA512
52d246aacf8987dbf27d612f39648353eaaf5fc001f07363ba312e2747b053ac5424baf74855e58965856053251758f513ec5cf08087a2c4103abc03679077ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\fipys.exe

Filesize
172KB

MD5
19c77b15f5eaebadb2dcfbf7ce96654f

SHA1
ff7d30d41bf30facbda28a5b3198ef2520f7727c

SHA256
03d59c3c99e6616680a96642ffe09861fd2443d19285fe8a1b54fc289f87c826

SHA512
9462304b5afccf9344e5952714e55dcd1bc47c9d2a084f4d7b12ef2e312c3de72e2440adfe3df9dda201470c5485dbaf4626163f1d3f772bd7b32a87a69c3b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6bdcb7166abca588d1f530658c1d5fa6

SHA1
1b1a4c77a094aa2ac012ae124a8edfba1801df40

SHA256
407f1512aeb670b0b6171c4aa0286ad955ab4ee773e88563fc7077664ac37f1e

SHA512
8ef95d6bd3165ab04e066f9e053ec43066e0a66399d061016ef2ee232b77ea1a53ad40dc6aabf6cdc0d61ca8cc5973af45aa6b7a809bab9d8baabd3fc5ad5950

Download Submit
C:\Users\Admin\AppData\Local\Temp\izcej.exe

Filesize
331KB

MD5
9edcb6fca51e7c36e80815e639364917

SHA1
4208fc47e5e669c551cbbb03af8628e11be00d58

SHA256
7eb34877afd0b9d61cf9a5dff7efac27e1049fda1d1c5d89b36f8aeee6f5a89b

SHA512
bd520d169de81a643fcf6b037ff6668ea58d1526b18bd0ebcd08fadf93ab3799f2bed52f96f48a701cf68e1abd88d4eab5cf509fbe0a15713a41b1c53efd1211

Download Submit
memory/1940-17-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/1940-0-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/1940-1-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2228-46-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/2228-51-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/2228-50-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/2228-49-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/2228-39-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2228-38-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/2228-48-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/2228-42-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/2228-47-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2356-20-0x0000000000F40000-0x0000000000FC1000-memory.dmp

Filesize
516KB

Download
memory/2356-41-0x0000000000F40000-0x0000000000FC1000-memory.dmp

Filesize
516KB

Download
memory/2356-21-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2356-14-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2356-13-0x0000000000F40000-0x0000000000FC1000-memory.dmp

Filesize
516KB

Download