urelas | b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Size

332KB
MD5

1024d773fc47520c1454b600cdfee860
SHA1

7cb1ce05b8c60995daa64416b925426f139ea134
SHA256

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1
SHA512

60a3f88d1c6403e58d391bbb9534b06aa5c928b1fea3d62b39927dda85f4186b59b6b3ee709bcc8339ba2309a969fe3ecd281e43877068069c5f5391704e6a7c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ynzyw.exe

Executes dropped EXE 2 IoCs

pid	Process
1932	ynzyw.exe
2700	xuewu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynzyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuewu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe
2700	xuewu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1932	1684	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	87
PID 1684 wrote to memory of 1932	1684	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	87
PID 1684 wrote to memory of 1932	1684	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	87
PID 1684 wrote to memory of 2512	1684	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	88
PID 1684 wrote to memory of 2512	1684	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	88
PID 1684 wrote to memory of 2512	1684	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	88
PID 1932 wrote to memory of 2700	1932	ynzyw.exe	108
PID 1932 wrote to memory of 2700	1932	ynzyw.exe	108
PID 1932 wrote to memory of 2700	1932	ynzyw.exe	108

C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
"C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\ynzyw.exe
  "C:\Users\Admin\AppData\Local\Temp\ynzyw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\xuewu.exe
    "C:\Users\Admin\AppData\Local\Temp\xuewu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
04a7bfa8eb94ca946e1a890cc85ebfa6

SHA1
f9cd3e2f86e97ac420219e2fba3787684910607f

SHA256
a25689378fb74347ddc425110ed6f13f5a10787ba1913001946839a8953a972d

SHA512
b7fda068921b8ceebc1a74afd9a5e1ca9e3fbc60b9054c92afe9fa88293561894ef67f8e7cbe8abbe86bcef98350a803b9450eb6cf051b57433a4d4b6b67bc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9b0cbcdd1336fa1a5a58b286131f05ab

SHA1
aa988a5ae10f4a718a8279d333ebd30e77e291e0

SHA256
dbfc0450dd1c0563861f8d1f05231dcc6cd4d7726931e05198d90f7e398b90c6

SHA512
6087ef0a28a3a8068e2f19744ae9b9a2faafbcacd900dad1d19a01040cc81c378edf93f7a83ef8ad64b187d7c836af037d74c30701e97fba2c8f61cf9c501148

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuewu.exe

Filesize
172KB

MD5
ce825f75ddaa525a7e3fc081ebc977f3

SHA1
a589f6e350766abe007b1fd3e49796ba67f3cb81

SHA256
7ac0c8790176b220fb43c643d084a4cf7409fc3ef8b103461cc5932c71f9ada4

SHA512
92803196791c1a613380de15d2035401ddc608d609c6f39a91bc84348d826800cf40f567de2ec0640e8d32c9095add20cd74de7596c71fbe622b5d02e9dd6724

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynzyw.exe

Filesize
332KB

MD5
9a45850b826fce48343922fc13307ee0

SHA1
aa9f017ac9fe773f80c40e1cc102ee19476417a8

SHA256
a2351dd10d5188294e8df7b07c87d0da76db6eb8d5120efda19166348512986a

SHA512
014f2ca171b29bc650407f33161f73b520b76d2d872540613f8938f855fc613796ecd2bbd940539b115c35a00174bac6a2ef24535a5d8b9d08489c22297d4b9c

Download Submit
memory/1684-16-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/1684-1-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1684-0-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/1932-39-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/1932-12-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1932-10-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/1932-20-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1932-19-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/2700-40-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/2700-37-0x00000000006B0000-0x0000000000749000-memory.dmp

Filesize
612KB

Download
memory/2700-41-0x00000000006B0000-0x0000000000749000-memory.dmp

Filesize
612KB

Download
memory/2700-46-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/2700-45-0x00000000006B0000-0x0000000000749000-memory.dmp

Filesize
612KB

Download
memory/2700-47-0x00000000006B0000-0x0000000000749000-memory.dmp

Filesize
612KB

Download
memory/2700-48-0x00000000006B0000-0x0000000000749000-memory.dmp

Filesize
612KB

Download
memory/2700-49-0x00000000006B0000-0x0000000000749000-memory.dmp

Filesize
612KB

Download
memory/2700-50-0x00000000006B0000-0x0000000000749000-memory.dmp

Filesize
612KB

Download