urelas | b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
Size

332KB
MD5

2e4cd5974566618cb6ad13032dbf99e6
SHA1

80f1d438c9ea383103d0e0061c6977e5d2344213
SHA256

b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35
SHA512

0e2e0f1dd374a57ee1392a65ead2eeea0044715731f2565ce130496733815b8540d57805e57544430394e067bca0b7ed23eb83f549adff9848750613023180a8
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYrh:vHW138/iXWlK885rKlGSekcj66ciY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	voame.exe

Executes dropped EXE 2 IoCs

pid	Process
4996	voame.exe
3784	muifj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muifj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe
3784	muifj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4996	5040	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	88
PID 5040 wrote to memory of 4996	5040	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	88
PID 5040 wrote to memory of 4996	5040	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	88
PID 5040 wrote to memory of 3292	5040	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	89
PID 5040 wrote to memory of 3292	5040	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	89
PID 5040 wrote to memory of 3292	5040	b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe	89
PID 4996 wrote to memory of 3784	4996	voame.exe	103
PID 4996 wrote to memory of 3784	4996	voame.exe	103
PID 4996 wrote to memory of 3784	4996	voame.exe	103

C:\Users\Admin\AppData\Local\Temp\b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe
"C:\Users\Admin\AppData\Local\Temp\b8fa304433ab405068b8c19d31c1f45e76215419430e7e5651e4963083be7f35.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\voame.exe
  "C:\Users\Admin\AppData\Local\Temp\voame.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\muifj.exe
    "C:\Users\Admin\AppData\Local\Temp\muifj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
78bcd2b643f40ee235915aee268d49f2

SHA1
57f6fc17b8c5c3edd6e74bb9d9a9dd875b81b1a0

SHA256
5acabff516d1cfccb9595c5e62ae898d2dc58cb6ef17eb770f46b14c3be249f6

SHA512
a1a9490f78be4436a5e28b41ed00082eb07a0f2d100f8298b8e939c97f99b3e49714912fd4b9e027c3ba49c5c6820176814ecf191019d71a3ee66c8064671201

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b5fd85abc0599dd2b097010a3a9fd0fb

SHA1
a1dc3efbc6d2e015fa7e222a76fd3c0b20668707

SHA256
17f8c7946105091e46214e01107f932313fba4e078549ea820dd96d3feea59d5

SHA512
8e409b7a2cd64997591ff20883274d4da4b298057b8fd73e62109bcdb25c7cd2b634e62e3db9787627af2e78820d073223b14fc42176d2df8ca61a4ec7e61b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\muifj.exe

Filesize
172KB

MD5
1b3d2ba5f4d68b255990cb5ed1d87462

SHA1
bb45873c0807ae3975b3676483995896860e8570

SHA256
e90dfbd1315a6e59e313c038c062dac1ae3bd82628a228be5a4d09145bbac00b

SHA512
97906afca207b4905564388ba663728251cae02bfd4845c8dac39ead3f81f192113f4ea9756caf8a9721dbe6cffb97c09aff3ff7b3039252ea5c996542bcf994

Download Submit
C:\Users\Admin\AppData\Local\Temp\voame.exe

Filesize
332KB

MD5
6a4703274144f9c416e47a248a1144cc

SHA1
ce3cac030119bb62ffeb0da5adb1fc1d534f9c7c

SHA256
f0aef441f89242e8bcea9d98f70b14f1796d3e7f6224983794d85ed906b00172

SHA512
7b1776bbeb9f06a4c17027f8658feff3b924380ff40ce012b382b80a8d97eb0c3c9182dbb9bd1ffd24f2b23a3728faccc78a0e716ce82aa845be8e7a1820c643

Download Submit
memory/3784-46-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3784-44-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/3784-50-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3784-49-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3784-48-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3784-47-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3784-41-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/3784-38-0x0000000000AA0000-0x0000000000B39000-memory.dmp

Filesize
612KB

Download
memory/4996-21-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/4996-40-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/4996-20-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/4996-11-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/4996-14-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/5040-1-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/5040-0-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download
memory/5040-17-0x0000000000C60000-0x0000000000CE1000-memory.dmp

Filesize
516KB

Download