urelas | f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
Size

331KB
MD5

d0f5aa37150fd76ed30c94e2ea861360
SHA1

0694a6dfaee9a3d72fb83cff3d059346335cceef
SHA256

f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8
SHA512

de106aae556355bd8447b84b996d949c7e1495a14fa89be322eac0a1797b6be2beba68ae232dfd53260723f917a3bdb7a66cfb648f39e59937a09d91070b34bd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYu:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	emmyf.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	emmyf.exe
4320	ypvec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypvec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe
4320	ypvec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1992	2152	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	88
PID 2152 wrote to memory of 1992	2152	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	88
PID 2152 wrote to memory of 1992	2152	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	88
PID 2152 wrote to memory of 4516	2152	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	89
PID 2152 wrote to memory of 4516	2152	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	89
PID 2152 wrote to memory of 4516	2152	f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe	89
PID 1992 wrote to memory of 4320	1992	emmyf.exe	107
PID 1992 wrote to memory of 4320	1992	emmyf.exe	107
PID 1992 wrote to memory of 4320	1992	emmyf.exe	107

C:\Users\Admin\AppData\Local\Temp\f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe
"C:\Users\Admin\AppData\Local\Temp\f649801fc7bb65145b95cc267e9b32eb7010067777945edb00914a8a8f7b58a8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\emmyf.exe
  "C:\Users\Admin\AppData\Local\Temp\emmyf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\ypvec.exe
    "C:\Users\Admin\AppData\Local\Temp\ypvec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9d9e06420c3ba86f8414fd83ba47a417

SHA1
cd23edf05181d27f24cb92fbf2d887f2ca2a6f38

SHA256
fd1458e291ed86807ab2ad499830b4d1187514c91e0ec70ef1c340e3baea5855

SHA512
0f2d51a0bd665054cec94b1fb0c8573fb3c681ea0f0b6dc474e9b1d792f81c6ac6461ddd50ed12642c3b447d73155deb0cf90def636dfa5b951ae485d9eef18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\emmyf.exe

Filesize
331KB

MD5
6eaa98d4ae73d342fd81b4fc8fa1c6cd

SHA1
c929aeece77db543a56c3850cdf1e5cc7138f3e9

SHA256
0d7ad770c819d893cff2a0c6fe8afd92767737acf50afe810cb4fe1ed2822cab

SHA512
c61986032a8c6ad7e199b75f54789ccc5a0ac58954496921d03855def679ba6edc3e3d69da21c98f03db04f81a746ee7ed5a0bea68e7e261c02b9e16e5760d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c6ec96ac10b744183b5d3a5487c247aa

SHA1
bb7b4f5ca7a52274229a8772b323dea66174d6f9

SHA256
2b930826dc83838a5a0323de29bb74f44a871e75398821acfa34003bf51c30f9

SHA512
704fc9595b442272ddf77685fa042896c2d430185f4f86ffd4d15fe8c67e488b7cb36d21968e098bcde902fc9857ab8d232322de0534007772aabe19872e3a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypvec.exe

Filesize
172KB

MD5
6dcc0fcfe4d59ac6945235a79d7c1617

SHA1
02c58749437ccaaf7aae79ef8bfc72befccec321

SHA256
dec368580e493ea8ff9d260a37dd8e7a709be9bc1132f9654b3ff9d7d260f665

SHA512
89b6b9ff317d089208ad47d29f6bb7bc6c790a3db4095a4a9a8d27cfd594ec3225a6386ac485de69d08856abab26a2b9fb00f40dff7ee07098550d6f050bc958

Download Submit
memory/1992-21-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/1992-44-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/1992-13-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/1992-14-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1992-20-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2152-17-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download
memory/2152-0-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download
memory/2152-1-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/4320-39-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/4320-38-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/4320-41-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/4320-46-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/4320-47-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/4320-48-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/4320-49-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/4320-50-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download
memory/4320-51-0x0000000000930000-0x00000000009C9000-memory.dmp

Filesize
612KB

Download