urelas | b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe
Size

505KB
MD5

053f3c2896703544b2afc8a7d257d336
SHA1

52ef9b00ea8ea3ea12c3a1cc5f36a025b17a9eb4
SHA256

b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9
SHA512

e8599bd638cc3dc7ed44280af06ac16184cfac461758cc139fadd9e0a134c77e5fb5e8407a5547ef62547d2342f39fa8acdd783ad30b8fac48c09ab626955c04
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKoEh:3MUv2LAv9AQ1p4dK3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	puhuw.exe

Executes dropped EXE 2 IoCs

pid	Process
1908	puhuw.exe
1624	ejgap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puhuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejgap.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe
1624	ejgap.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1908	4836	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	87
PID 4836 wrote to memory of 1908	4836	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	87
PID 4836 wrote to memory of 1908	4836	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	87
PID 4836 wrote to memory of 4792	4836	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	88
PID 4836 wrote to memory of 4792	4836	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	88
PID 4836 wrote to memory of 4792	4836	b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe	88
PID 1908 wrote to memory of 1624	1908	puhuw.exe	110
PID 1908 wrote to memory of 1624	1908	puhuw.exe	110
PID 1908 wrote to memory of 1624	1908	puhuw.exe	110

C:\Users\Admin\AppData\Local\Temp\b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe
"C:\Users\Admin\AppData\Local\Temp\b9f544d5ba7e76560f9a80c71fbf0ebd8711e5e03b99da0c68bbc96f6d64a9f9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\puhuw.exe
  "C:\Users\Admin\AppData\Local\Temp\puhuw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\ejgap.exe
    "C:\Users\Admin\AppData\Local\Temp\ejgap.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3cf6ea4b98f2c1323929b293f1e5c1ba

SHA1
ff1892913533fd8bf64d617027a753a617e1ec61

SHA256
f736688d40528811ea4efe68a62686927662db7a2af29798638a3255f1c33da4

SHA512
5224dba1e08821ed00ae7562371edb5b6de648021a9c6d5a3a668d43107cbe3f87156a304e513ccbefe2e269dd873ac314ddbd2c3e3fb09dd276f43633857251

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejgap.exe

Filesize
172KB

MD5
d47c3839489e999b98520edf281f111a

SHA1
88703aff235468a8f0e782be3e7e139feeadd22a

SHA256
0201055f5f1f41ba301662c5d8a36a78910c6c965e0f3d73317b06ff1c523770

SHA512
2e2b0608b40db4e15bdef614d4f6c2670fa64867728e77bfd06bcd5392d1cbe97351fe8cac85a0dc7d440ca0af4f47a3e8622c8eefa6321d3f1584d95b6e743a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3c79702aa17996411a03601fad3d73d6

SHA1
01b69a8bed765fcd4c9e6c16565e2d26d379c1af

SHA256
86e789fdb0de23f5570a32f6a81c0069346c1310e116200ff03718f6e1c3e44c

SHA512
1fe1fb6788009be971931328325c3e0a080827243fa766e8b8590574a54ceea08f21c849bf69c8d8dad8467010ee8814d3d392f46db7071cbcc037ad6f284177

Download Submit
C:\Users\Admin\AppData\Local\Temp\puhuw.exe

Filesize
506KB

MD5
77559df674009dac72c480d6358c13f5

SHA1
8348e029a6c415b0dbfa4186c25f9f77df693625

SHA256
7f1efa650765882661438271567260515f6310fa9e21e20a08d8fef00ff44760

SHA512
c8d57e1b5caedeb143c84dbc49613a9e9a0ed747c105db494739a01cce1ab33ab4e8e5f24e9214faed04dc18bb6eec636165b035c91d58b26a962dfdc81ca6a6

Download Submit
memory/1624-28-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/1624-35-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/1624-38-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/1624-37-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/1624-36-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/1624-27-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/1624-33-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/1624-29-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/1624-34-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/1908-26-0x0000000000550000-0x00000000005D1000-memory.dmp

Filesize
516KB

Download
memory/1908-11-0x0000000000550000-0x00000000005D1000-memory.dmp

Filesize
516KB

Download
memory/1908-17-0x0000000000550000-0x00000000005D1000-memory.dmp

Filesize
516KB

Download
memory/4836-14-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/4836-0-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download