urelas | 88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
Size

332KB
MD5

35506475a0a8a4c0429a15340d2fab27
SHA1

35e70cac093ecc3e47a88bcecea97b8b0b893560
SHA256

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0
SHA512

4b9c4bea129d323f0d637a5fa60d37ca3c6400a5b7463a8b9811455edcb3492982b882178f2af9c5d1af21b397b42dd98d0e82db93ac6e09097bbf11115860db
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVF:vHW138/iXWlK885rKlGSekcj66ciEF

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exeyfbyw.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	yfbyw.exe

Executes dropped EXE 2 IoCs

Processes:

yfbyw.exeolkio.exe

pid	Process
3192	yfbyw.exe
1848	olkio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeolkio.exe88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exeyfbyw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olkio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yfbyw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

olkio.exe

pid	Process
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe
1848	olkio.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exeyfbyw.exe

description	pid	Process	procid_target
PID 2128 wrote to memory of 3192	2128	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	88
PID 2128 wrote to memory of 3192	2128	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	88
PID 2128 wrote to memory of 3192	2128	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	88
PID 2128 wrote to memory of 1216	2128	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	89
PID 2128 wrote to memory of 1216	2128	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	89
PID 2128 wrote to memory of 1216	2128	88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe	89
PID 3192 wrote to memory of 1848	3192	yfbyw.exe	108
PID 3192 wrote to memory of 1848	3192	yfbyw.exe	108
PID 3192 wrote to memory of 1848	3192	yfbyw.exe	108

C:\Users\Admin\AppData\Local\Temp\88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe
"C:\Users\Admin\AppData\Local\Temp\88c1dfa202eee64dc73b932f7a0e94e213f18d8ee5fb8e0c8f595ecde58456f0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\yfbyw.exe
  "C:\Users\Admin\AppData\Local\Temp\yfbyw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\olkio.exe
    "C:\Users\Admin\AppData\Local\Temp\olkio.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2cc086749471fe7255e7208554d4f970

SHA1
c4ab504a3f9e5ee49b2980af642944e62e6e24b5

SHA256
846202b2fd88edfa36702254985f6a9b615e322344cf037d995a00d3f80d3834

SHA512
4e16ee830a363522fc85f000adcc977a003e00224f8793244c8145bb6b330d4edd3b5a51eaa8dae1d99644a41f92206405284dd4a196edeec3a7343051289de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b34189522acf7d229db44d02e1ae3c5c

SHA1
e9d3ef64967955e73717fe05b14c864e609544df

SHA256
73f769cd62e65de7447b32d493404c8df49a3a49dcfd413f084f5e771aca94e1

SHA512
c36b7e1ab95d4f67efa6e0ca5a175e6340a67fb52c857e67aef036ba2779450142ea479336e47d7e058ec2146cc0db57b858623917f03d88eaf7ef00b1476b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\olkio.exe

Filesize
172KB

MD5
b19acf4b760a6b7ad63947f8eaf9046e

SHA1
ef7d788d5d8dbce6182601805744d1b5eed15631

SHA256
1c862e852dd51abd9cd95c6d70aaa922544250ac08b6724ff25408c3bb3d53f3

SHA512
f9a2b6573fb252878babf49b4e2504f172ac83cb202cdf7708216d1f873cf7b14788a6ccc8c9b9eae3deae24afac060db205c17af23d41cf4f2a9b671d689c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfbyw.exe

Filesize
332KB

MD5
355252e71a2abbbd1f008fb7fd700dac

SHA1
2a866fdc65663167b6cc8ca6bef5e0782956dbe3

SHA256
88d4d0066c2651406c925ee197e3976f50a1a140f1834bb4ec19330f72944673

SHA512
d5b3bdf83c2c4de00988d347b2c49714da4bcda69ea157132df8368a56839ba6d74d815743ddb181dc69e3872d73c145a587119711aa234144a004c0e4eb7eb9

Download Submit
memory/1848-47-0x0000000000970000-0x0000000000972000-memory.dmp

Filesize
8KB

Download
memory/1848-48-0x0000000000620000-0x00000000006B9000-memory.dmp

Filesize
612KB

Download
memory/1848-51-0x0000000000620000-0x00000000006B9000-memory.dmp

Filesize
612KB

Download
memory/1848-50-0x0000000000620000-0x00000000006B9000-memory.dmp

Filesize
612KB

Download
memory/1848-49-0x0000000000620000-0x00000000006B9000-memory.dmp

Filesize
612KB

Download
memory/1848-46-0x0000000000620000-0x00000000006B9000-memory.dmp

Filesize
612KB

Download
memory/1848-42-0x0000000000620000-0x00000000006B9000-memory.dmp

Filesize
612KB

Download
memory/1848-39-0x0000000000970000-0x0000000000972000-memory.dmp

Filesize
8KB

Download
memory/1848-38-0x0000000000620000-0x00000000006B9000-memory.dmp

Filesize
612KB

Download
memory/2128-1-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2128-0-0x0000000000710000-0x0000000000791000-memory.dmp

Filesize
516KB

Download
memory/2128-17-0x0000000000710000-0x0000000000791000-memory.dmp

Filesize
516KB

Download
memory/3192-41-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3192-21-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3192-20-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3192-13-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3192-12-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download