urelas | 49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe
Size

329KB
MD5

8f9f1e06458b285e4c54662ce6b965e7
SHA1

790ed8e8263244ac5d8943d2823f8bc63c9d6472
SHA256

49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed
SHA512

f21d03eb31737d42533acf496f574fceeecaf356c97fae0bdb57f4644dca6a3293ddadff908aaef21745e6108bbb163f3b73e874d215cdabaae1d05252c55a1c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOQ:vHW138/iXWlK885rKlGSekcj66ciD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	qekip.exe

Executes dropped EXE 2 IoCs

pid	Process
3664	qekip.exe
1640	kikol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kikol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qekip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe
1640	kikol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3664	4408	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe	87
PID 4408 wrote to memory of 3664	4408	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe	87
PID 4408 wrote to memory of 3664	4408	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe	87
PID 4408 wrote to memory of 1532	4408	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe	88
PID 4408 wrote to memory of 1532	4408	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe	88
PID 4408 wrote to memory of 1532	4408	49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe	88
PID 3664 wrote to memory of 1640	3664	qekip.exe	99
PID 3664 wrote to memory of 1640	3664	qekip.exe	99
PID 3664 wrote to memory of 1640	3664	qekip.exe	99

C:\Users\Admin\AppData\Local\Temp\49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe
"C:\Users\Admin\AppData\Local\Temp\49f3b7cd0257dd629a7a4ae2b7c8e77212ff1f8c735dba5eb1251e789b7928ed.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\qekip.exe
  "C:\Users\Admin\AppData\Local\Temp\qekip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\kikol.exe
    "C:\Users\Admin\AppData\Local\Temp\kikol.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d17a519970c49c9ed6ad27b92c079b27

SHA1
0e5cf028bdf4fe24b235790911e9eee82417fe3d

SHA256
d455e5861ac088bc327abe1e49b601aee19f211115ec90c6d7d11795bc06e528

SHA512
3285c9c63d24d4e7657b4ba70a13c1ec26c45b2d67eade752679eb1315a12957c2e6af6ec6314abe57c8220bc187c69a5487cb8c9d8ba6ff13615cbb126843f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
da674ea1b0068677c9f296c5bacb4404

SHA1
8053ea84163caf2463781b799e7a8267e7d2209c

SHA256
0248054f2d65b70e41d3c7025a4891755282466c72b7ac6097bc4c2589a96a71

SHA512
d6e0b13886f0b48899c9753efbe8965cd86155d2fada4ca5f06eedc87c31a66cd4f3ac361db75f6f44c0c84930d7b14702b32e161a36c8e5bc0aea86d0e8a330

Download Submit
C:\Users\Admin\AppData\Local\Temp\kikol.exe

Filesize
172KB

MD5
bf77fc3505fa96e9a96d82a3c33e75cc

SHA1
bb5de341b577bd05ceef0fa231a4f46f4c4f1b82

SHA256
8a36dc48a8eec962ba1ec4791a8967c405c626210f9095040a6b9edb96c23c0d

SHA512
8e0ee20697cfd5069c28a26bb336ba5739b71e229b4b9b610a72b9d3d0b1d2e807f659ab61aee8d68759cd8d5c4dd29ca9ccfa3bab5e10d5b3dddb4a3d161b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\qekip.exe

Filesize
329KB

MD5
cc00fb9e580642c1bee224f30d163a3e

SHA1
751329bb21c4c75a27690fc7d9f7a4ef02583b1a

SHA256
4fd901341e4636c2fdc7912b55ed95783e4007400932d926f4708d3710ee0d39

SHA512
55b058882047f0d328d5214fb1b4481815bcb15a8dc8110b1b9f41a3f2ea7f28d550b80cd3762cfade5a308aa444e87d18bdd7698fd318d96f973fc54908df83

Download Submit
memory/1640-47-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/1640-48-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1640-51-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1640-50-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1640-49-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1640-46-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1640-42-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1640-39-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1640-40-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/3664-41-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/3664-20-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/3664-21-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3664-11-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/3664-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4408-1-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4408-0-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/4408-17-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download