urelas | 0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Size

446KB
MD5

019dd5686e62593b1a205d4d1a4b85d0
SHA1

2e9ecbe2eb2d55692a299be7f155117284f077de
SHA256

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42a
SHA512

c083b7175daca3d47ca5e6b723de9178367be5dc1cd6a49f2509649e245a73ff83ca05e52626c0971dda3bd1c176d2182c40b1a884c1963bf9b20e77c3e43460
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoG:PMpASIcWYx2U6hAJQnS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeanevr.exexoozsu.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	anevr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	xoozsu.exe

Executes dropped EXE 3 IoCs

Processes:

anevr.exexoozsu.exenaerp.exe

pid	Process
2304	anevr.exe
1608	xoozsu.exe
3920	naerp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeanevr.execmd.exexoozsu.exenaerp.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anevr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoozsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	naerp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

naerp.exe

pid	Process
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe
3920	naerp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exeanevr.exexoozsu.exe

description	pid	Process	procid_target
PID 1192 wrote to memory of 2304	1192	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	85
PID 1192 wrote to memory of 2304	1192	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	85
PID 1192 wrote to memory of 2304	1192	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	85
PID 1192 wrote to memory of 4124	1192	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	86
PID 1192 wrote to memory of 4124	1192	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	86
PID 1192 wrote to memory of 4124	1192	0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe	86
PID 2304 wrote to memory of 1608	2304	anevr.exe	88
PID 2304 wrote to memory of 1608	2304	anevr.exe	88
PID 2304 wrote to memory of 1608	2304	anevr.exe	88
PID 1608 wrote to memory of 3920	1608	xoozsu.exe	103
PID 1608 wrote to memory of 3920	1608	xoozsu.exe	103
PID 1608 wrote to memory of 3920	1608	xoozsu.exe	103
PID 1608 wrote to memory of 3932	1608	xoozsu.exe	104
PID 1608 wrote to memory of 3932	1608	xoozsu.exe	104
PID 1608 wrote to memory of 3932	1608	xoozsu.exe	104

C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe
"C:\Users\Admin\AppData\Local\Temp\0430d47ffd2ba594f4d9c097f1196404088be865e3224d692a4aa5d43ea7f42aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\anevr.exe
  "C:\Users\Admin\AppData\Local\Temp\anevr.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\xoozsu.exe
    "C:\Users\Admin\AppData\Local\Temp\xoozsu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\naerp.exe
      "C:\Users\Admin\AppData\Local\Temp\naerp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
8793e8e433434c5cee43ad475aa4d66c

SHA1
d351f2ad621f15703700f01be489c6557b2cb6cd

SHA256
9fe8bc2c5103c12e5bf4e54e427889bd1f8f00c98482a455c474829d13300e58

SHA512
528537bc19535f822498b561840c4b81524101b2656c6b0eab4e83e36841f99e20d8d54fe7923f3b7e48e007e062b01a2cd4fc2ff93354e26597f061a1e971d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
55350500e0a1333d4a22ae672fb27a00

SHA1
10391aa7e33e426c149d77e2af51c3d8277e9276

SHA256
e96c93061a6ea0477e0ca49f33f872942db37219a23fec6e1331b9c10dbf0764

SHA512
63e8d950f9a5b2a052f048f9d537170de26c8917d7695e1577bd99be2d8e706d95c63072ea61d2bd6467360e10d98f25bca19ac7878f7fb1f8d5a22712a19c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\anevr.exe

Filesize
446KB

MD5
753af8e87aa74619dbc0531aa61bbfe7

SHA1
f21356296685e50da6b1f350826f6194f29a3059

SHA256
88c439cc4f05135e1ec016ef723d0b64425dfbc9ea34f53136e2c762b0363b6f

SHA512
c685cacefa62681c43c90d0ee04098860edb3c278a49b8aceb9915e2d091c1dad384acea1c9610c1875fe83597da08e6bc1f3a5659ca6006c0f7eaa05470cca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bb5b2103fad09fdcf2e445af2c099e71

SHA1
2cc61665cd2e28e72924d48877e87718d2ed6fb5

SHA256
4bf9209231eebb8dbcf463a2ae718469c94b0f1cfaef122050b5cd4026726538

SHA512
c5d208d45f675135c7b51927783db5d1cb61c8f4232af78d5d0abff7760e62b3c58fa2b814ad6f16509512f074d3e076dccab565ec83d95b235fa5c9126b2321

Download Submit
C:\Users\Admin\AppData\Local\Temp\naerp.exe

Filesize
223KB

MD5
d9dcdeb62b7d8d5b3d6ebf54a202340a

SHA1
f2eecac4d110a59d8929e12699c95cc11fea4399

SHA256
48d0671479e9302ef6a11d98ad5a0bb0f2db86cc9426eca38830c05ef7e78752

SHA512
7c2a3447a1e3c9cb12ffc6c5b6806776e5d196fdc880ae38e805881a27c44d8148cf567fb66cc3303d26a57e87338394c8f1057776077380140104438d74b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoozsu.exe

Filesize
446KB

MD5
30aab164203f943eac9d671a74f47da0

SHA1
93a3405cc78d533c01fd0871deac5b9b86b27c3d

SHA256
aaf74210549cb06fecdd843c8801b67f280afc84b586195c5f9d1ebcd718e60b

SHA512
aef02943d996bf38b772b7964999ebe4bf67e11c9f7c48b64d5e169fd0d36adb385acab7428c8f024fb8b5d4d2a00be56290483fea3bbbc513c602ea43014179

Download Submit
memory/1192-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1192-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1608-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1608-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2304-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3920-36-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3920-41-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3920-42-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3920-43-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3920-44-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3920-45-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download