urelas | 76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a

Analysis

max time kernel
94s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe
Size

80KB
MD5

478ed604f87c3820b72fbaf5803f6a47
SHA1

e89945f9ab8a41aaf93a74b348dc0a3d95e49d83
SHA256

76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a
SHA512

f90d4745a236af07d0702fa7634286cb89564980092c806c7b0a4367b2c9d727c41c6301a719df582510ce87e874c4ac38f363b53a1f3b287b169d84a259526e
SSDEEP

1536:zxKyhnAUfUiZR9G84qk+Be/HZ17hmZpDsxu1p:zLCEZTGx518ox6p

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe

Executes dropped EXE 1 IoCs

Processes:

poldge.exe

pid process

4948 poldge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4948	poldge.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exepoldge.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poldge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe

description	pid	process	target process
PID 3780 wrote to memory of 4948	3780	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe	poldge.exe
PID 3780 wrote to memory of 4948	3780	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe	poldge.exe
PID 3780 wrote to memory of 4948	3780	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe	poldge.exe
PID 3780 wrote to memory of 4792	3780	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe	cmd.exe
PID 3780 wrote to memory of 4792	3780	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe	cmd.exe
PID 3780 wrote to memory of 4792	3780	76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe
"C:\Users\Admin\AppData\Local\Temp\76d21484127516df1585bfc2862602b638873211074606913e4e3cc5b8a1371a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Local\Temp\poldge.exe
  "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af6f90fee60d60070d9076eba7533c76

SHA1
015da84cb0cfce8699e8b1937dfac54a15e7e792

SHA256
14360d90f621ef9e1d84b269de67f782c9f6a904cf3226c2724d4898c157b687

SHA512
53ce60ef6f9dc9241d106d4e160833430e7855a221babf9835578096313a7a8ba1285df8d5620850ffe9f41f860e04e758a2f0be6fe688a87ea13d780234c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
81KB

MD5
b655b3fcc23bbe25042e5e4a981b0de8

SHA1
2ec912454e3578f472889650de38b99384da2528

SHA256
a3ca675bce6d15fd160bec759d54ab2d2d46c6442d10f31d56472b4a8c52498f

SHA512
927c18b35a7afbce6e6e48bd6a979ccc0899ba17d860e5d61fb02097b2aaf55363045fea100d010923485b03a1623eed3dc0b692d57d5499ef3797cdf18be707

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
8e88723f954131e4ad705bd75ea23ce2

SHA1
4846e2a619994f759357a61fc4e56350fc9433ec

SHA256
00d6946140792643be560e0b96ff92b97a7b5eae6ba33145c1103b0ec3855297

SHA512
a6f561c68b9493803b5dc490478a7a3c7e0ced025388bf4f59318d381da29bc81ce036176d9fbf898afd2b195541f458fcd38981d73b9409a566d31284670d16

Download Submit
memory/3780-0-0x00000000002F0000-0x000000000031E000-memory.dmp

Filesize
184KB

Download
memory/3780-14-0x00000000002F0000-0x000000000031E000-memory.dmp

Filesize
184KB

Download
memory/4948-10-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

Filesize
184KB

Download
memory/4948-17-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

Filesize
184KB

Download
memory/4948-24-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

Filesize
184KB

Download