urelas | 326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe
Size

333KB
MD5

581eab6e8b1c1d42771ae046ff6e65a8
SHA1

2152ebcc38d31070aefe7ad02b414dc4a5b81b9f
SHA256

326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad
SHA512

659111e8f45e1579a517176ec43f9b6bf08a90f9d5d9af0274b01948f18e6e50526cf6ca376b0ba0f2505604134d34194dfe12b6ca8cea4dddedccdc8aef9326
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9H:vHW138/iXWlK885rKlGSekcj66ciWH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	nydym.exe

Executes dropped EXE 2 IoCs

pid	Process
4200	nydym.exe
628	linac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nydym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	linac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe
628	linac.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4200	3460	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe	87
PID 3460 wrote to memory of 4200	3460	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe	87
PID 3460 wrote to memory of 4200	3460	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe	87
PID 3460 wrote to memory of 1812	3460	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe	88
PID 3460 wrote to memory of 1812	3460	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe	88
PID 3460 wrote to memory of 1812	3460	326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe	88
PID 4200 wrote to memory of 628	4200	nydym.exe	107
PID 4200 wrote to memory of 628	4200	nydym.exe	107
PID 4200 wrote to memory of 628	4200	nydym.exe	107

C:\Users\Admin\AppData\Local\Temp\326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe
"C:\Users\Admin\AppData\Local\Temp\326a1837acd2b7a4e1c842bf647c1eba86e4332730f341ad116a199b835f2dad.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\nydym.exe
  "C:\Users\Admin\AppData\Local\Temp\nydym.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\linac.exe
    "C:\Users\Admin\AppData\Local\Temp\linac.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
4045389627a7bfcfac8f0a3c087b69da

SHA1
8f467818bb334860cfab312c1a3d54c75f566bc6

SHA256
6bcbee859f8c5406c9146dd2bb386da5bb9d91b8c79b9481caa945b4dd46941d

SHA512
0b5407abe3626706c366c35969ccbf214ceeb706a028af59b6fb1d599c40a81049329f7d84474fc8b318e9f521e3033ea2b1c04ccbafdc312e19592094499991

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4f805884e0fd992b3af8c177b89e89ed

SHA1
542bb68566ad1797badd970a93f4706266c9337a

SHA256
9bcca27a5f52bfa1747c1b1a59c58c196687e03d2ffe5f99753f8404a6afcd03

SHA512
ed3fbf3af981378eb9df88159eb06273a2aafa1f9f34f908da66a38b893341afc5421130540482a2e7098c06c1512b44ffb0ebb6401b2ca36814cf197ad45e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\linac.exe

Filesize
172KB

MD5
9d34aef1939d01498957471b6995f722

SHA1
9e2f6ec9ce8a4b8585791e2faaa9d4bc46c938ce

SHA256
abedd583702f7a12743cb0e9e95925b5d5c005f29be8be6b816ed1d812bf8a1a

SHA512
185162ecc6c56612a4198da1ff337d12a22543785d51290763d1ccfd2ed31bdc810567e7893a6098f7f97d8d352b35524dbc0418379cde687e96808aee7c2a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nydym.exe

Filesize
333KB

MD5
aae5201d2b4f52c8a4b70813df3ccf30

SHA1
c2cbcf2d72912d225d127d6f05205daf39ed2708

SHA256
cb8333654db3f35851fcf4aef01a57378e5167f334ce990f0314157840d3244d

SHA512
65c33badb3b104541b2f572d71925572b97d92170e965fb2ba9775e72f93c4342d62c509acd044aee91bb74075a2930490f559ad812a61c399c672033710edf3

Download Submit
memory/628-45-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/628-46-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/628-50-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/628-49-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/628-48-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/628-47-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/628-38-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/628-37-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/628-40-0x0000000000A50000-0x0000000000AE9000-memory.dmp

Filesize
612KB

Download
memory/3460-17-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/3460-0-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/3460-1-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4200-43-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/4200-20-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/4200-11-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/4200-13-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download