urelas | 228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Size

331KB
MD5

b2b46805c6d9040e35b03cbcc2291570
SHA1

1f8c09742e89bc1920b0996382875069a2699ed7
SHA256

228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799
SHA512

05b4587e1e080bafc8d6b1c5f373273e0601d9e73fcf20ad33c19721e1cee1b89b3ea57081e301adac512b9140a2ea3b088b4ccfa176ae627d0823e4b9413580
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVH:vHW138/iXWlK885rKlGSekcj66ciEH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lubew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe

Executes dropped EXE 2 IoCs

pid	Process
5080	lubew.exe
3948	yzabt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lubew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzabt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe
3948	yzabt.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 5080	3596	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	88
PID 3596 wrote to memory of 5080	3596	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	88
PID 3596 wrote to memory of 5080	3596	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	88
PID 3596 wrote to memory of 2700	3596	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	89
PID 3596 wrote to memory of 2700	3596	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	89
PID 3596 wrote to memory of 2700	3596	228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe	89
PID 5080 wrote to memory of 3948	5080	lubew.exe	104
PID 5080 wrote to memory of 3948	5080	lubew.exe	104
PID 5080 wrote to memory of 3948	5080	lubew.exe	104

C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe
"C:\Users\Admin\AppData\Local\Temp\228dda6362c74b2d3bb06c974669db1868b3beef46c49d30c33b9b92d0e5b799N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\lubew.exe
  "C:\Users\Admin\AppData\Local\Temp\lubew.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\yzabt.exe
    "C:\Users\Admin\AppData\Local\Temp\yzabt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
321fde60b66c64c4701cb5b752f9d577

SHA1
217bdea5ccb5a394cf3da4f6147192343f9e6dbd

SHA256
4ebdee2fa534f770db37aca411d0ef97cd23540daf2f6fd39b4b73839571156a

SHA512
75036d7a7aac9e4a51335c3901ba5157701ba8f0b81264c050cecabb73185643cf6f71545d4683413b88fcd794d666805655251584c5aa89eac76cf6294c833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5e34ce86e2d2aa15dce0594302df6f9d

SHA1
f5c5f7b1282fb2819502b4d980b542eab46bc2f7

SHA256
872579a4df319c7677ec1de40fccf984ec39711f1ef09c3872789a913df1c766

SHA512
6c6ad7e7f910075d5b6bcae1316e743da7faeb95d1237a6547907f87064e9fbf163056b9ea43aab034318c2ce23f7e3621570ca56aed16882cd2e618c6cac9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lubew.exe

Filesize
331KB

MD5
a0849284fa724643826d27079ac00ab6

SHA1
79ec4e0e81dc28a179b4ba72cec61429325375db

SHA256
f1f4714e012f19059353a3d597e4a9c2c7989dabef2bf23b83c7f1d2a5809968

SHA512
6aebd82e0405439d568e76bc11336fb1ba00c84d8ecdc954a5a70a058805a24d57bd050a827826d3c936d5b9adf13272b208df0b7ae4bbf00a19a037d9f3c707

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzabt.exe

Filesize
172KB

MD5
8abcd6283e9af5530b18510bc21b7ce4

SHA1
f55415442a14eadec3a475ff8f045f4bb6c44c24

SHA256
34a0dae87ef3659618f3146585c71659362b58d3183727674e18bac3fcfe5591

SHA512
d699d1ebe95e5c2ade940641b51b1f2f9434b028edd94f212e3e88449a85cded9ec964a04965c68fb89f75bbd222f3faed38ed5d1dbef65f20d4b126f987937e

Download Submit
memory/3596-1-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3596-0-0x0000000000530000-0x00000000005B1000-memory.dmp

Filesize
516KB

Download
memory/3596-17-0x0000000000530000-0x00000000005B1000-memory.dmp

Filesize
516KB

Download
memory/3948-47-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/3948-38-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/3948-51-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/3948-50-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/3948-39-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/3948-49-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/3948-40-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/3948-48-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/3948-46-0x0000000000750000-0x00000000007E9000-memory.dmp

Filesize
612KB

Download
memory/5080-15-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/5080-20-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/5080-44-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/5080-11-0x00000000003C0000-0x0000000000441000-memory.dmp

Filesize
516KB

Download
memory/5080-21-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download