urelas | 896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
Size

332KB
MD5

53b4aad111dd092c1ed41cdacdff51ed
SHA1

529d031eda234ec9ed2c0cf252154544c054176c
SHA256

896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe
SHA512

c8436f4e032d23f0dc8dbc51a2c3e034fee3c40126dab94c0ee0791105ace7bd3ef3fea47b92d4452b860f251273c53412c13e0550b45ad3528838cad403751a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYf:vHW138/iXWlK885rKlGSekcj66ciS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cezef.exe

Executes dropped EXE 2 IoCs

pid	Process
2476	cezef.exe
464	elgev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elgev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cezef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe
464	elgev.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2476	3580	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	88
PID 3580 wrote to memory of 2476	3580	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	88
PID 3580 wrote to memory of 2476	3580	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	88
PID 3580 wrote to memory of 2072	3580	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	89
PID 3580 wrote to memory of 2072	3580	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	89
PID 3580 wrote to memory of 2072	3580	896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe	89
PID 2476 wrote to memory of 464	2476	cezef.exe	103
PID 2476 wrote to memory of 464	2476	cezef.exe	103
PID 2476 wrote to memory of 464	2476	cezef.exe	103

C:\Users\Admin\AppData\Local\Temp\896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe
"C:\Users\Admin\AppData\Local\Temp\896af404b97206a74df3d1213c8b1c5657f0fbbc207aeb4ac30864df5faf3afe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\cezef.exe
  "C:\Users\Admin\AppData\Local\Temp\cezef.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\elgev.exe
    "C:\Users\Admin\AppData\Local\Temp\elgev.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1b5679d98aa27ce59af39bee793ac5ba

SHA1
165d9906d3e10c631adf587bc205ee48a30181a7

SHA256
4ac71c1a8674ff3b59a7d181587199ed849a480c47b0d1035bed4995b361a9f4

SHA512
22cb254358f0b8511c9f630dcf1d96f4e56351c49f18a5350aeb467796efca839c281cb9073f17647f43030e656dc612210b3e802f1103cd54f3a11eb7afa50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cezef.exe

Filesize
332KB

MD5
6f721ab612b06c270a42cfd5841a6970

SHA1
fbaf60ccf5dacd08fea1028ac22a147735e74ceb

SHA256
84f2c40b6c2703ab892f9c841e1af5543189b11f07b59ac52f1c6086e058e4bb

SHA512
38bfa15028e56e6471b70c29b241902035d8f96bdbfbc57b0964edcbb8f3b0c31c69a1e9e52fbfacc5e9fef3f9acabe932ce239d319982d22e7e71abbd9005fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\elgev.exe

Filesize
172KB

MD5
61ea126d14b9b07a77c9fa24662d2b44

SHA1
76b9aa707bf6b235cfa4b5178ad2391ef22ddf46

SHA256
8b58d4511be7fc534a9650a7bb569a55c36948b4ee9017f00c79423b0b3d4cd7

SHA512
fc782bc1cfb0d7661a74ef71111907d3fdca67fa866adaa89a6177fec7714276f3b25af609bf003d3cf7d7903ed8a7d961377723d5434732aa97be30bd2f2cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
75474537a2733ba706dbf27aca9fc996

SHA1
ca5fa3efcd7a36e8b54ce9288973e4c932a3e311

SHA256
0270c96f17f48377e4c4afa8d40e70717bff2fe0e84830cb23ca677d9cd1f135

SHA512
d8973f5bb381ce46cc4eb6295fa4bf203d705db6a897f12f8f9610a41e74e6f7d7ba3650982907180f4290ce2b8a755dcfd38bb1c1b760478fbd6a16a8aca3e4

Download Submit
memory/464-44-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/464-45-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/464-49-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/464-48-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/464-47-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/464-46-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/464-37-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/464-36-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/464-38-0x0000000000C90000-0x0000000000D29000-memory.dmp

Filesize
612KB

Download
memory/2476-42-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/2476-19-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/2476-11-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/2476-14-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/3580-16-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/3580-0-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/3580-1-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download