urelas | c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
Size

333KB
MD5

b73a1d20ba44fc157c979919730d53b0
SHA1

68decb89026da30677cb4a15bfc06fd6731fcc43
SHA256

c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1
SHA512

885e5a1a60ea24c48a0532833c7c0254665d119c53dfc6ede7c929cbf408450235ba9bc295e0eb8e26ec0587c414795c061288bab0d51a5aa4237925e9e09c08
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9D:vHW138/iXWlK885rKlGSekcj66ciWD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	hovyc.exe

Executes dropped EXE 2 IoCs

pid	Process
4844	hovyc.exe
4672	zoqiu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hovyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoqiu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe
4672	zoqiu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4844	1404	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	88
PID 1404 wrote to memory of 4844	1404	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	88
PID 1404 wrote to memory of 4844	1404	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	88
PID 1404 wrote to memory of 3224	1404	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	89
PID 1404 wrote to memory of 3224	1404	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	89
PID 1404 wrote to memory of 3224	1404	c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe	89
PID 4844 wrote to memory of 4672	4844	hovyc.exe	108
PID 4844 wrote to memory of 4672	4844	hovyc.exe	108
PID 4844 wrote to memory of 4672	4844	hovyc.exe	108

C:\Users\Admin\AppData\Local\Temp\c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe
"C:\Users\Admin\AppData\Local\Temp\c894b6d294b57a79f7f2a1724559625acb76ad59487d4944991c15e8cc364ee1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\hovyc.exe
  "C:\Users\Admin\AppData\Local\Temp\hovyc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\zoqiu.exe
    "C:\Users\Admin\AppData\Local\Temp\zoqiu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
c326a90cd16d97acc9229102e6666204

SHA1
93c2b71d8d210da2c5cd2ea5b147eba0cad85022

SHA256
887a78279680dece945f2b3f1f84e4e071a035b5d3be545b22b87d272c1f8d5b

SHA512
f7a3401e4684c1f1fb50ee2265dcd21dd952f11c2b9149362f5f9f4ce1c8cc6c227e284d373a79294dc6c4abf03dd31d1dfed7e5bba99ac2a2655cd829343a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1003cfd93937316ae952c33f939336c0

SHA1
be43eb0c127cb1bbe0622914ddc79405057febe9

SHA256
12234db90d10f98ed6ae5c58165b62d99f4c839f43d0b601fd7e881f89b2db41

SHA512
2a34c03f5ba7b20d867f435863689b0a4715265a1fb1aa463e0b73fb594dfb660e0fe484955bf2558b391262f62a72c794e69c5d97d9972af9014703317bef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hovyc.exe

Filesize
333KB

MD5
bdb275e7a4c1726ce42f22ae92fa2324

SHA1
f6622608d8964da5377628adda2374b0ac11306b

SHA256
312cf66420fc75ee6a67487f91489459081656f90f87da97fb1d23126537f363

SHA512
72a88e9548c6aec4a82392ca772da676533f8ea55a73958b43fa00a2cda2a9c1afdd6a29d851d85a338e852e0bfc2822092fbcd98c3ba1d31feac6ab373038fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoqiu.exe

Filesize
172KB

MD5
821c4944b9aa4915cd0aadad88f7c1a2

SHA1
22164861911809ebbaa28e640a689fcf6424e252

SHA256
5379f1ee31d0fd9bed2ddcfb4f5698e09b9828779a699ef5ac2c9284a557e049

SHA512
359498ca50ff2ed27d2656e53ff2697d13a96fe072209193dcc93500dd9c49debcd532c3673563117e47aa5e15b06d508d8fa787a128a9fe200744c7d3ae181d

Download Submit
memory/1404-17-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/1404-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1404-0-0x00000000001C0000-0x0000000000241000-memory.dmp

Filesize
516KB

Download
memory/4672-48-0x0000000000460000-0x00000000004F9000-memory.dmp

Filesize
612KB

Download
memory/4672-42-0x0000000000460000-0x00000000004F9000-memory.dmp

Filesize
612KB

Download
memory/4672-51-0x0000000000460000-0x00000000004F9000-memory.dmp

Filesize
612KB

Download
memory/4672-50-0x0000000000460000-0x00000000004F9000-memory.dmp

Filesize
612KB

Download
memory/4672-39-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/4672-49-0x0000000000460000-0x00000000004F9000-memory.dmp

Filesize
612KB

Download
memory/4672-38-0x0000000000460000-0x00000000004F9000-memory.dmp

Filesize
612KB

Download
memory/4672-46-0x0000000000460000-0x00000000004F9000-memory.dmp

Filesize
612KB

Download
memory/4672-47-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/4844-20-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4844-13-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/4844-41-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download
memory/4844-14-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4844-21-0x0000000000B20000-0x0000000000BA1000-memory.dmp

Filesize
516KB

Download