urelas | 1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe
Size

505KB
MD5

2aa64747a71a586bdeea389d14e7d07b
SHA1

10272df186170bf57586469e4c8385daebd06267
SHA256

1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446
SHA512

869c287f0e1efdacba91a1bb4d6f8c5aa3db6da60117dde2cb191d1eb1463f9d43cc1bec806e5869f7a520bbdc81b9ff148d272e9d44c0d5697774438d642b8e
SSDEEP

12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK55:PMUv2LAv9AQ1p4dKj

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	tozuz.exe

Executes dropped EXE 2 IoCs

pid	Process
1540	tozuz.exe
464	xucah.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tozuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xucah.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe
464	xucah.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1540	4584	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe	88
PID 4584 wrote to memory of 1540	4584	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe	88
PID 4584 wrote to memory of 1540	4584	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe	88
PID 4584 wrote to memory of 4192	4584	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe	89
PID 4584 wrote to memory of 4192	4584	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe	89
PID 4584 wrote to memory of 4192	4584	1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe	89
PID 1540 wrote to memory of 464	1540	tozuz.exe	107
PID 1540 wrote to memory of 464	1540	tozuz.exe	107
PID 1540 wrote to memory of 464	1540	tozuz.exe	107

C:\Users\Admin\AppData\Local\Temp\1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe
"C:\Users\Admin\AppData\Local\Temp\1e314dcbaeedbc747045d4764ba59ea1acf280c0925574dcf1f9d2a5406ae446.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\tozuz.exe
  "C:\Users\Admin\AppData\Local\Temp\tozuz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\xucah.exe
    "C:\Users\Admin\AppData\Local\Temp\xucah.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2c1ef6f2bcd5e73341a8d1d3956f8ab8

SHA1
2fb1ffae260cf1f240bd343d5f07ae7ebce43cb7

SHA256
5caf30b1611c748a03a53a19017fd0eb4a71702ddcba963791307dc3b45134b7

SHA512
50a10568d83a0be5e5665740c5340a52824461d4876018d1202620650fa44d24b9909004d907e3388fe29676ebe4782b4d9303391eb61425ac3aec364a387481

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ba6229698e3ed494fe47fe1da7e51882

SHA1
bc5f7a346500db0ef699793bd081fc080a3bf974

SHA256
5094385e5480a473dbf97372d126d705d26b0654ff84c42c466c33ee5a2e53f8

SHA512
05495601ed5187f3629b6f8ec93d56fc759039591482152d1c3c1ff46e266d426f4fa4f0da529925704c9b5b4354824c200b5b58f2bd3d6214548a99d62a1b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tozuz.exe

Filesize
506KB

MD5
f22e0c654b2e15f1af1349f0af9e1e9b

SHA1
971fa27c2b40331729f38bb957583f7d7c5350ae

SHA256
60e52b7d2692f963fada7f45329b406be1ad488f126aa77c39f8d330665939b3

SHA512
d7cb3638822cc2a90f3b8266e8f9788625ca78c02acbdc8f01c46daaf83cf9fb62deeed543edecdd4a82e8e3ab2507e6140e969a1dbba4c13035699348d3a0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\xucah.exe

Filesize
172KB

MD5
e1b5380739da2d46d127df683a643c13

SHA1
5bba8529fac3f0bba75b214a39385461ead15495

SHA256
4b1fda04caf840c22a17ffb7fe501e3d39f0fc3b62d14258b786514c64eccfca

SHA512
5018a605c31006ab6fe68540ea3d2baac0adfcebe079a0f0de414b8afff91c7bc95ab54ba349afb4c290449002d79fc2c8f87ede3abafe426174378e8d8ed84b

Download Submit
memory/464-26-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/464-31-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/464-28-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/464-33-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/464-34-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/464-35-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/464-36-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/464-37-0x0000000000CE0000-0x0000000000D79000-memory.dmp

Filesize
612KB

Download
memory/1540-17-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/1540-12-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/1540-27-0x00000000009C0000-0x0000000000A41000-memory.dmp

Filesize
516KB

Download
memory/4584-14-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/4584-0-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download