urelas | 56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
Size

326KB
MD5

7369bddc9ef2ce044b115923f47ca6e0
SHA1

6d5f2d34b544e6a95d3fd0198706f3e4bc13665b
SHA256

56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718
SHA512

8c2b11e4de1a1b24638eb6b95c38a8e41654015c76208b2eb912b4eab020135806b5d6a1cdcda1169fd713a5371cb3b192be5b1f71caa32afe7cfc0ae429bed6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYk:vHW138/iXWlK885rKlGSekcj66ciJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	odysa.exe

Executes dropped EXE 2 IoCs

pid	Process
4176	odysa.exe
1248	seykk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seykk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odysa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe
1248	seykk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 4176	2476	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	87
PID 2476 wrote to memory of 4176	2476	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	87
PID 2476 wrote to memory of 4176	2476	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	87
PID 2476 wrote to memory of 4984	2476	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	88
PID 2476 wrote to memory of 4984	2476	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	88
PID 2476 wrote to memory of 4984	2476	56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe	88
PID 4176 wrote to memory of 1248	4176	odysa.exe	99
PID 4176 wrote to memory of 1248	4176	odysa.exe	99
PID 4176 wrote to memory of 1248	4176	odysa.exe	99

C:\Users\Admin\AppData\Local\Temp\56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe
"C:\Users\Admin\AppData\Local\Temp\56c450a2294f2a1ec2fa27d8c3566bd283cd6fa9e4e12a40223683f4c424c718.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\odysa.exe
  "C:\Users\Admin\AppData\Local\Temp\odysa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\seykk.exe
    "C:\Users\Admin\AppData\Local\Temp\seykk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
075fd977af72e2c7e8027ca5a6c2a76d

SHA1
57e248e4348bfa5a2b6494ebfce31d4073c82a0b

SHA256
bb1b69cc6c30de91cbc31ddeec5efc71f172e4013933e98e92d0e2c9137f5fcf

SHA512
b661a441e0fa3638040ca79f0f1d42b03de2a601b030769ffbd9bf34373700f5123e19c8f16df424d8d9bdc440722783d0ee097e56d48d215732bb7106891633

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e744f7cb044e5b590458c3e664d6fe5b

SHA1
1ee92bdeecc852763321e7f0fab1b52d127ec567

SHA256
db97828e9af5ed07519643aec99e7fc3317c264f6e4a1a0d85e3d3298eb2d9ea

SHA512
36635294bc151d19da761feecbf3021380148e61956c60fa7f4dd067dba133afc30d6485b432160efab184760f53fc2887f3dd74217cddea815b60e7f26fd532

Download Submit
C:\Users\Admin\AppData\Local\Temp\odysa.exe

Filesize
326KB

MD5
268295e5d3aba704bff32f4310cc01d7

SHA1
b6c2f75ac8b8ec449f4c58bb2d6912e04c15bf8b

SHA256
4fe7b3fbac20140a81d5440f5eb28286291f9dc0b55350824f269d9721243b49

SHA512
0f8f1d0cf38e1d82a987d422b9c9e61182a9e5f2f8c79f04db1223c3dc32002ff8abed32eb37657b1c4d13a9a0cedd7d61ca9d4fee10be8264c9e3cffc48f5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\seykk.exe

Filesize
172KB

MD5
f1fde58d00155b71159a58a1d02451cc

SHA1
76fe9b3d0fb75a3d777ec5066556c492b5f4fb59

SHA256
b296d13f304beee783241d905d552467599b0e602cfb70ce67039119d671fbbf

SHA512
63e9513360ad26c008fce22ac7c32b0a8ffe593d7e32b4b21322e331de0969e5209b331637c483f46f371ce7084c39ed8fae3fcf46a54ed58ca2c1cb5c23e22a

Download Submit
memory/1248-46-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1248-47-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1248-51-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1248-50-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1248-49-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1248-41-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1248-40-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1248-48-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/1248-42-0x0000000000EA0000-0x0000000000F39000-memory.dmp

Filesize
612KB

Download
memory/2476-17-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/2476-1-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2476-0-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/4176-21-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4176-39-0x0000000000B00000-0x0000000000B81000-memory.dmp

Filesize
516KB

Download
memory/4176-20-0x0000000000B00000-0x0000000000B81000-memory.dmp

Filesize
516KB

Download
memory/4176-11-0x0000000000B00000-0x0000000000B81000-memory.dmp

Filesize
516KB

Download
memory/4176-13-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download