urelas | fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
Size

333KB
MD5

80c2e464d0e65c20fa068a3bfa7470b0
SHA1

51cdb889c9708a161fdb3c5fda6a4e38bebfbf23
SHA256

fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52b
SHA512

abccd3d3d12848d114b0b7aa060b3c94b07175ccf965413944a884b933afbb71eb15dca3f06269d2fc421bbec59b831132d6fa759127065c495298bbadb3a6dd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9+3:vHW138/iXWlK885rKlGSekcj66ciWQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	myaby.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	myaby.exe
3008	gyebv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myaby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyebv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe
3008	gyebv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2676	1360	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	88
PID 1360 wrote to memory of 2676	1360	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	88
PID 1360 wrote to memory of 2676	1360	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	88
PID 1360 wrote to memory of 2576	1360	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	89
PID 1360 wrote to memory of 2576	1360	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	89
PID 1360 wrote to memory of 2576	1360	fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe	89
PID 2676 wrote to memory of 3008	2676	myaby.exe	102
PID 2676 wrote to memory of 3008	2676	myaby.exe	102
PID 2676 wrote to memory of 3008	2676	myaby.exe	102

C:\Users\Admin\AppData\Local\Temp\fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe
"C:\Users\Admin\AppData\Local\Temp\fe664118685632ec48e1bc3fbc30a7ba8972e04f77df8f22621345ac005ad52bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\myaby.exe
  "C:\Users\Admin\AppData\Local\Temp\myaby.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\gyebv.exe
    "C:\Users\Admin\AppData\Local\Temp\gyebv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0eefb7b287f60aef1a98238ca7d04fe8

SHA1
1bee211430b5cad19b65e0f028476fbdd6f9b12e

SHA256
248ce742a9ebd40c52e9ad1450f917bb187aae04534cb4bb9159897b660a262f

SHA512
6c3e358a6b5264c9c62312c6d47452f46fafaa31c8beb07d96f314a65505dd361345c627e8d5fba4f2bf0a9f951b6574807e97c03195c8ece8e067a5a875b621

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
781198bb281ce241eab18c560dd338fb

SHA1
d880fec88abee4b7006f0547cea85fe29ba780f1

SHA256
9322c0c28890a2b145de4301dad56d57a946fff5de6316f0310295ccec721831

SHA512
b413c5df2a31b2c2b01920f9baf1f343eda79608a072c4f2a4fd840321d93690d15de1fac5d47632d83a0f03a8dc7c4d8c3d641d907de71b861af17d4641eea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyebv.exe

Filesize
172KB

MD5
6a5156282e68a1ffa61ea9b55d89bd04

SHA1
50015f95f7627fcb2f49490f2e3edd4628793c2e

SHA256
1f7f4c34f115a3a9f8eacb671e2cf61f325e716e0bef77533a741d5235f0fbc7

SHA512
1af0887827fca13b130dd9cfea437f31d9e9cf322a29f0b8501a6452b7fee202e2c4653767b72901b127a8af526f91cb0eba08470a7a966d9b721cb10aa0f216

Download Submit
C:\Users\Admin\AppData\Local\Temp\myaby.exe

Filesize
333KB

MD5
df2c48968b82589127f71e3f4949421c

SHA1
664ac3c9f099b3fcbcd362b83e4d1bd9e5b42015

SHA256
6cb7e4f75a2570d570a23fec520332b06ecfe256604a4daedc331ce573eab51a

SHA512
fd6d9a7b12e8bf1fc9c91e85b4c71c504be7505888bc30942c8fe7f4ce2b1f1120beaa2a8bf2ffa5a1669adc21bf61c095f1aec642d093b8bc17c6418b7f0a9c

Download Submit
memory/1360-16-0x00000000008D0000-0x0000000000951000-memory.dmp

Filesize
516KB

Download
memory/1360-1-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1360-0-0x00000000008D0000-0x0000000000951000-memory.dmp

Filesize
516KB

Download
memory/2676-40-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2676-14-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2676-11-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2676-19-0x0000000000F90000-0x0000000001011000-memory.dmp

Filesize
516KB

Download
memory/2676-20-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3008-37-0x0000000000630000-0x00000000006C9000-memory.dmp

Filesize
612KB

Download
memory/3008-38-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/3008-41-0x0000000000630000-0x00000000006C9000-memory.dmp

Filesize
612KB

Download
memory/3008-45-0x0000000000630000-0x00000000006C9000-memory.dmp

Filesize
612KB

Download
memory/3008-46-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/3008-47-0x0000000000630000-0x00000000006C9000-memory.dmp

Filesize
612KB

Download
memory/3008-48-0x0000000000630000-0x00000000006C9000-memory.dmp

Filesize
612KB

Download
memory/3008-49-0x0000000000630000-0x00000000006C9000-memory.dmp

Filesize
612KB

Download
memory/3008-50-0x0000000000630000-0x00000000006C9000-memory.dmp

Filesize
612KB

Download