urelas | 12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
Size

557KB
MD5

8d37a8396842d719500c6a9794081307
SHA1

e477abc5b03e9d8608f732d823fceeb78263e4a3
SHA256

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82
SHA512

7dadab5806e550848488b9eacf7392b058c2a401e6a8f0e9ac174b07f6bb9e96af4f4ddf5f299beef64da9514cea742cd3b971341b52e5811f4bc362103ac960
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy4:znPfQp9L3olqF4

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exeuqnow.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	uqnow.exe

Executes dropped EXE 2 IoCs

Processes:

uqnow.exekunym.exe

pid	Process
4244	uqnow.exe
1652	kunym.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3960-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x000e000000023b59-6.dat	upx
behavioral2/memory/4244-12-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3960-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4244-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4244-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exeuqnow.execmd.exekunym.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqnow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kunym.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kunym.exe

pid	Process
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe
1652	kunym.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exeuqnow.exe

description	pid	Process	procid_target
PID 3960 wrote to memory of 4244	3960	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	88
PID 3960 wrote to memory of 4244	3960	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	88
PID 3960 wrote to memory of 4244	3960	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	88
PID 3960 wrote to memory of 220	3960	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	89
PID 3960 wrote to memory of 220	3960	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	89
PID 3960 wrote to memory of 220	3960	12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe	89
PID 4244 wrote to memory of 1652	4244	uqnow.exe	102
PID 4244 wrote to memory of 1652	4244	uqnow.exe	102
PID 4244 wrote to memory of 1652	4244	uqnow.exe	102

C:\Users\Admin\AppData\Local\Temp\12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe
"C:\Users\Admin\AppData\Local\Temp\12e288341c8280493cd6ecfedccdbec871ff3a179a8be438fd87d761731ddb82.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Users\Admin\AppData\Local\Temp\uqnow.exe
  "C:\Users\Admin\AppData\Local\Temp\uqnow.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\kunym.exe
    "C:\Users\Admin\AppData\Local\Temp\kunym.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
878fd48f02ed0ec577b997344e95183a

SHA1
6e17a32caf0937778aa99aa7b6bb96a836df8e8e

SHA256
27d2a93379bb24993974d307d7f5ec926e2b1d3635d5116bccbd0c57c95c6500

SHA512
fc312460980cdeb7f9eff89cbc3483ad6ab5df1da851e89e5c80c971db7d46014d943077c4e7342a7367b530858978ba073fd2c262f352fa01a391fe2c5c6a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e187cbacafb8ec9424243b9c2ba0c901

SHA1
ac06eee94104e9f4084c78d3987a9778da959570

SHA256
3d663f7386c71c186ad7f61e919c3ed47685969107743b385e69299ae234e5ea

SHA512
0eab040a5207f5ae358886ac6ea56e063317524b76696e75cf0dac6ed2c8318425a06acd773d60b0459a41dbf79b73d17b3090cc705f800558b2fab136e10d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\kunym.exe

Filesize
194KB

MD5
65c8147aac4c8a77bfc63d5d21e99b2d

SHA1
ec1698001cfcc62a04ee915c06a2a277692cfc32

SHA256
992d8662ff44cdc6aa0d0d049db6b607e73d9343e017df3ee753aee6edf26dfa

SHA512
03e23cf405938031ce84913375d0f9fbb5167285dc0603dca5247c5e2c9b65c74d112f3c8f9571e13aaa14a394ba676221a2bfba38c00138f228e5c21619df9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqnow.exe

Filesize
557KB

MD5
47935c202531a473c40620b74842b593

SHA1
88e9111dfef931cb7c111cdc611e52ad2ce9679b

SHA256
56477580b3238efbd1e8a7dce18fabb7ed95dddce9bf0841cdcc85a018a35b6b

SHA512
9fe5e8c1177cf0e3b779d3a8515d090a7c5b344b3f8fce6675e3e646b004b2a81fea96baa24f4e43cbd669e10b49ec7be6180b91943d031270bd818eef4ed4bb

Download Submit
memory/1652-27-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1652-25-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1652-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1652-31-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1652-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1652-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1652-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1652-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3960-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3960-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4244-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4244-12-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4244-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download