urelas | 4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Size

333KB
MD5

af649e88296ceb9e1d695358491cc750
SHA1

830da14bc248fa18205b5a0cbdb812734ca69b58
SHA256

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f
SHA512

95bf144918ca6ccbfb7d9598f8f35e466cc92231c2cdf83675fc95ef5c75a56024f3148801850e4acf64ba7e00d361db3edf0aece87dcb27c3e57e623e57190a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPy:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	woqew.exe

Executes dropped EXE 2 IoCs

pid	Process
1304	woqew.exe
2624	kabub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woqew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kabub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe
2624	kabub.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1304	2024	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	87
PID 2024 wrote to memory of 1304	2024	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	87
PID 2024 wrote to memory of 1304	2024	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	87
PID 2024 wrote to memory of 4472	2024	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	88
PID 2024 wrote to memory of 4472	2024	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	88
PID 2024 wrote to memory of 4472	2024	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	88
PID 1304 wrote to memory of 2624	1304	woqew.exe	101
PID 1304 wrote to memory of 2624	1304	woqew.exe	101
PID 1304 wrote to memory of 2624	1304	woqew.exe	101

C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
"C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\woqew.exe
  "C:\Users\Admin\AppData\Local\Temp\woqew.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\kabub.exe
    "C:\Users\Admin\AppData\Local\Temp\kabub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
51eb60591001633f51a3690f0d69b21c

SHA1
2c5ab7a2e840ff3b4a81c85dd668ff6908dd31b3

SHA256
00b3935a5e5c00cc5640df9e92aa90903353835e2e1371adcd507be48aa3bdf7

SHA512
de8273739713c511957d81e151d4109d17a9d7d6f5322bf166869ad8a8f90d38b96586523009d6bcf425c257709131de69a0fbbb99209b533eb330c73836a217

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b2c70a3b45ed717419cedac8569d7a56

SHA1
bb4f077fa6e1889449d88e32d2fff599795f0e30

SHA256
86d6f166477e6f14b0a62b79f64a01b076c7f2bfab29e6faf305db1e5d745967

SHA512
d59293d15b05c1e3a34ad45e2f9ca7fb012ce87787307de14ad45c43bcf461b5d02d35d94b2f4dc48c1639387a534e6ef953323dc691072c16a14524c942ae1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kabub.exe

Filesize
172KB

MD5
5516211ea505fd7719d1987397efc345

SHA1
500d89ea591a01ede54d897e25f9f04a11f3c959

SHA256
473d297438a978393ce9b7ebe9baf7c1348b66a6f670ded4b8109a61b5620f08

SHA512
1381ad01299de73da0c9386ed7a946ff738e0e3af29d387ffef319350408329adb6f258381078ee8fc02b4c37c4739b7b6620c385242cfb2af223c901e682612

Download Submit
C:\Users\Admin\AppData\Local\Temp\woqew.exe

Filesize
333KB

MD5
e304d38b4c3455fd7f33a36e62cfe33f

SHA1
2961330d6cd060925bd3ce3a1e593ebfd176aa5d

SHA256
1b0dd136ee0463a096fb3fe68ae78667c57e73cea790abf83ff9a179683244ad

SHA512
a98f16e2bc13e3c6292886c8acf45038b0d7c92377ef51454950907036b8afc969d009746492bfb7925cb977c9529cc115497cf2092a24f0546f96b96670205e

Download Submit
memory/1304-42-0x0000000000860000-0x00000000008E1000-memory.dmp

Filesize
516KB

Download
memory/1304-14-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1304-13-0x0000000000860000-0x00000000008E1000-memory.dmp

Filesize
516KB

Download
memory/1304-19-0x0000000000860000-0x00000000008E1000-memory.dmp

Filesize
516KB

Download
memory/2024-1-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2024-16-0x0000000000D00000-0x0000000000D81000-memory.dmp

Filesize
516KB

Download
memory/2024-0-0x0000000000D00000-0x0000000000D81000-memory.dmp

Filesize
516KB

Download
memory/2624-37-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/2624-36-0x0000000000B90000-0x0000000000C29000-memory.dmp

Filesize
612KB

Download
memory/2624-39-0x0000000000B90000-0x0000000000C29000-memory.dmp

Filesize
612KB

Download
memory/2624-45-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/2624-44-0x0000000000B90000-0x0000000000C29000-memory.dmp

Filesize
612KB

Download
memory/2624-46-0x0000000000B90000-0x0000000000C29000-memory.dmp

Filesize
612KB

Download
memory/2624-47-0x0000000000B90000-0x0000000000C29000-memory.dmp

Filesize
612KB

Download
memory/2624-48-0x0000000000B90000-0x0000000000C29000-memory.dmp

Filesize
612KB

Download
memory/2624-49-0x0000000000B90000-0x0000000000C29000-memory.dmp

Filesize
612KB

Download