urelas | bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Size

332KB
MD5

a802406b8f20f3c1120794c61e6ea080
SHA1

1a6bebbfbe96c6a8dfb577f89032caa18413e6ed
SHA256

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342
SHA512

ff3617fa3ac161512fc3e13d75cc77542a5f0976a0d2583b336578e309c7c6fdb07f3c6f711410ad38e1fa8182dde94ca4490de70ec66937f114146c46631004
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVC:vHW138/iXWlK885rKlGSekcj66ciEC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.execosut.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cosut.exe

Executes dropped EXE 2 IoCs

Processes:

cosut.exekobig.exe

pid	Process
3812	cosut.exe
332	kobig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.execosut.execmd.exekobig.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cosut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kobig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kobig.exe

pid	Process
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe
332	kobig.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.execosut.exe

description	pid	Process	procid_target
PID 1492 wrote to memory of 3812	1492	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	88
PID 1492 wrote to memory of 3812	1492	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	88
PID 1492 wrote to memory of 3812	1492	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	88
PID 1492 wrote to memory of 2160	1492	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	89
PID 1492 wrote to memory of 2160	1492	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	89
PID 1492 wrote to memory of 2160	1492	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	89
PID 3812 wrote to memory of 332	3812	cosut.exe	102
PID 3812 wrote to memory of 332	3812	cosut.exe	102
PID 3812 wrote to memory of 332	3812	cosut.exe	102

C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
"C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\cosut.exe
  "C:\Users\Admin\AppData\Local\Temp\cosut.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\kobig.exe
    "C:\Users\Admin\AppData\Local\Temp\kobig.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f97f8213a4f0d7fa17839b84e35f1359

SHA1
158608023d066718130cba51f540f9719d6e0d1c

SHA256
cb262acda89e1b82055d31a120fb3b36e8908cd6db0d135b1ca6193b0a0a68ed

SHA512
40d61ddd719878c163d3d19e3002dffa454401082bc502971e5c02c92d335a330d6c1f44f58907f4f0367b35cd20f4840c924497962c74e4df39544ac0fe578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cosut.exe

Filesize
332KB

MD5
97fcfacb6ac2ae93e9a0c1ed5918cfa1

SHA1
add9b6680b314177074f045598f036ace5fcab11

SHA256
eaca976fd1b45ff4805b376ed7e328cb27aa030da4ea2bcb988c2ff5409eda82

SHA512
a92ff06de9499f3eb0f821ff7102916fe4fb118ddb1543c065c06f67ae52010f7ddaa9760d445e3da28b1d4141c91c74078857b41ae818a4f5ca3d271a4e5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1914ce65aee63a5da88fd948c29a54ec

SHA1
3d6a9b98085f695128211c8f7912108a14452434

SHA256
d075e3243e26810d8c4b104ff5fb663bd3a51c826656f4a5c0b29a2e153ec135

SHA512
f0ce9963a10d99d8bc661fc8b0ced7e63a1c4c3831e13efc62c75d05bac71e73ec824fe4d9fa5c462451c53506e3cec7baec0d888c1738b2b057f93ce4ece5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kobig.exe

Filesize
172KB

MD5
615a38f4e2ba4db0ca98b9d6fdf93fbf

SHA1
db1fdc95edfd445f249c932218c1a3b14c89315c

SHA256
093d8483d14919d39eaf3bb269ee173b8cfe2d6d948f13745ebeb1cbb010edb3

SHA512
036db159f060e1c8fad987d8cd0e87b7f40fadd96117cc108d48b52e57b2587916dfd0071e7dda989d82bda6598460140775302b598ed0a9950f0bd9f282ee07

Download Submit
memory/332-47-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/332-46-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/332-51-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/332-50-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/332-49-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/332-41-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/332-40-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/332-48-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/332-42-0x0000000000550000-0x00000000005E9000-memory.dmp

Filesize
612KB

Download
memory/1492-17-0x0000000000810000-0x0000000000891000-memory.dmp

Filesize
516KB

Download
memory/1492-1-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1492-0-0x0000000000810000-0x0000000000891000-memory.dmp

Filesize
516KB

Download
memory/3812-21-0x0000000000560000-0x00000000005E1000-memory.dmp

Filesize
516KB

Download
memory/3812-39-0x0000000000560000-0x00000000005E1000-memory.dmp

Filesize
516KB

Download
memory/3812-20-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/3812-14-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/3812-13-0x0000000000560000-0x00000000005E1000-memory.dmp

Filesize
516KB

Download