urelas | ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
Size

332KB
MD5

c667e50123f002e1f2c03e2b39241a5d
SHA1

d88af9b44a3edae04e48b4fdb0aa271bc5a1f6cd
SHA256

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc
SHA512

fc7702185feb529d21af9a14c6b451a807087e838b73a4970d4bd5258d496bd952d95d73373f5836737937a41888f8781f77e0a0a0eb11835054984980fc1218
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV5:vHW138/iXWlK885rKlGSekcj66ciE5

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exetoavd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	toavd.exe

Executes dropped EXE 2 IoCs

Processes:

toavd.exekyijz.exe

pid	Process
3224	toavd.exe
3696	kyijz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exetoavd.execmd.exekyijz.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toavd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyijz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kyijz.exe

pid	Process
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe
3696	kyijz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exetoavd.exe

description	pid	Process	procid_target
PID 3904 wrote to memory of 3224	3904	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	90
PID 3904 wrote to memory of 3224	3904	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	90
PID 3904 wrote to memory of 3224	3904	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	90
PID 3904 wrote to memory of 2020	3904	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	91
PID 3904 wrote to memory of 2020	3904	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	91
PID 3904 wrote to memory of 2020	3904	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	91
PID 3224 wrote to memory of 3696	3224	toavd.exe	102
PID 3224 wrote to memory of 3696	3224	toavd.exe	102
PID 3224 wrote to memory of 3696	3224	toavd.exe	102

C:\Users\Admin\AppData\Local\Temp\ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
"C:\Users\Admin\AppData\Local\Temp\ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\toavd.exe
  "C:\Users\Admin\AppData\Local\Temp\toavd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\kyijz.exe
    "C:\Users\Admin\AppData\Local\Temp\kyijz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
71023c4d9f4215e45953dd8cf1ba9bc6

SHA1
aa3f1afd2cbb8e6e9de5e3f0e8d904218ef13e30

SHA256
ce4c6fa6aa1429997de8ca2aa09345ea49c6ba9ea057a4d00a1c64ece8f52813

SHA512
acd6d4657e6d3a2e5b145c8f82d5b1e704fbfffd458e08e9024acd171dc554452261952b6c8faa4abf4de1af49b6471f73df149cb3aa092e48b81ca431efd1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
79d11e98321494573979f23a756d9339

SHA1
97a1d8eb08db1589a0752974db0ac9d1cce80955

SHA256
e9a92fc18176db38d0a9807ca97c9ccbcb6352cfb3caba232a8ffc461283c197

SHA512
698af9d44ed6abe1a5ba86e3b10b87d8c5946baaf2c02abcde6cdc730e07c116261196c3a4b635735a2582bd0cb837a821104fcae902c05aae7fe0d105433d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyijz.exe

Filesize
172KB

MD5
39d908434bcbc3c4cfd550652746710d

SHA1
8f9c9b1f0b500a622d3b940447c7823764d26252

SHA256
5a411eb5bcd5cb89c5e272034bcc0035b4485a620136766b6077ceb8eaa3bbd0

SHA512
856a530c5355238d8809d08f5a5d5b90e0b739064990b8e138b4061ee229b0094a149177bab21d38a0c13ef2bef9be6c7d6fc1b2ea07178cf8d921f8e08c19c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\toavd.exe

Filesize
332KB

MD5
2bf35acc6bd0705bb3f5747068fa76cf

SHA1
e32ff275c94d4fa2af71e0a9ae875331acd5578c

SHA256
c84b980f977ca4eb463d2beea776d0e5cb9f09e8156200a8e424c651c68a1675

SHA512
4e49c0e383bca4ade1964497df7a3d161455a53c4e710fae59d799efcce98fdcfb57162f2b6f49344281f4992df09393454d83aca7bd93eddf51ee86c29f35a4

Download Submit
memory/3224-20-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/3224-44-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/3224-14-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3224-11-0x0000000000240000-0x00000000002C1000-memory.dmp

Filesize
516KB

Download
memory/3224-21-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3696-46-0x0000000000F50000-0x0000000000FE9000-memory.dmp

Filesize
612KB

Download
memory/3696-42-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/3696-41-0x0000000000F50000-0x0000000000FE9000-memory.dmp

Filesize
612KB

Download
memory/3696-38-0x0000000000F50000-0x0000000000FE9000-memory.dmp

Filesize
612KB

Download
memory/3696-47-0x0000000000F50000-0x0000000000FE9000-memory.dmp

Filesize
612KB

Download
memory/3696-48-0x0000000000F50000-0x0000000000FE9000-memory.dmp

Filesize
612KB

Download
memory/3696-49-0x0000000000F50000-0x0000000000FE9000-memory.dmp

Filesize
612KB

Download
memory/3696-50-0x0000000000F50000-0x0000000000FE9000-memory.dmp

Filesize
612KB

Download
memory/3904-17-0x0000000000810000-0x0000000000891000-memory.dmp

Filesize
516KB

Download
memory/3904-1-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3904-0-0x0000000000810000-0x0000000000891000-memory.dmp

Filesize
516KB

Download