urelas | 36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
Size

448KB
MD5

e6cdc9ca05f7d0d63b9a2e4547905566
SHA1

65ae2b56ed18ebb0d9454b768a49829d8298d72c
SHA256

36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c
SHA512

e2a1d3d93c5ba639b3e56d2094f1b3eb84f5506a4ced2383735b28a658b75cf542bae675d21b2ba40bf2e66aa4a96c08fff2f698647998c77cdb7c8d436780a3
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTF:CMpASIcWYx2U6hAJQnw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	maujl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wazenu.exe

Executes dropped EXE 3 IoCs

pid	Process
2656	maujl.exe
3028	wazenu.exe
2340	ivvyn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maujl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wazenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivvyn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe
2340	ivvyn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 2656	4064	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	84
PID 4064 wrote to memory of 2656	4064	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	84
PID 4064 wrote to memory of 2656	4064	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	84
PID 4064 wrote to memory of 1140	4064	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	85
PID 4064 wrote to memory of 1140	4064	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	85
PID 4064 wrote to memory of 1140	4064	36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe	85
PID 2656 wrote to memory of 3028	2656	maujl.exe	88
PID 2656 wrote to memory of 3028	2656	maujl.exe	88
PID 2656 wrote to memory of 3028	2656	maujl.exe	88
PID 3028 wrote to memory of 2340	3028	wazenu.exe	100
PID 3028 wrote to memory of 2340	3028	wazenu.exe	100
PID 3028 wrote to memory of 2340	3028	wazenu.exe	100
PID 3028 wrote to memory of 4728	3028	wazenu.exe	101
PID 3028 wrote to memory of 4728	3028	wazenu.exe	101
PID 3028 wrote to memory of 4728	3028	wazenu.exe	101

C:\Users\Admin\AppData\Local\Temp\36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe
"C:\Users\Admin\AppData\Local\Temp\36004ca3b9f743497d7bb3789248d7dce817e0bd93b9929061987742ecd71c6c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\maujl.exe
  "C:\Users\Admin\AppData\Local\Temp\maujl.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\wazenu.exe
    "C:\Users\Admin\AppData\Local\Temp\wazenu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\ivvyn.exe
      "C:\Users\Admin\AppData\Local\Temp\ivvyn.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6892eda620a754623b9071773e9bf351

SHA1
db5bc1797467090f6d74a85761591b480d4ad5cf

SHA256
713180ad6a55238f1759554a67d7250e5720f2bcd74d212c323b986e302b5a7d

SHA512
3500e25fbad09f06f701adc632b4e59d214be1e960d840615795d8f219f089551ebeb003e5ceb9120c794b80dd88ebe5ad91a869331207d91c8b3878aa0cb4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
5560d0df9d27572bb943cbc5841221f8

SHA1
14e8272fa2246456d0809f04b0aadfb1ac0562cb

SHA256
f67c5e3f45e2f3957c44d029307e0f2be00997f4183682d8df7d85433b5c4180

SHA512
26dc90180dea24edb0369496ebb2b878714ed5d42a244d3cd8a0b55178e592c3357dd10c9d10359cfd492a1151b3ea45a8e9c926daea8be4f25551f75dfc31bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
49f9ed25e08447075b2b41e0e251e5fc

SHA1
42f6c3284b2fc02748b9870b0869af14d0d5082d

SHA256
c4cee2d2c109b533d025ac45e422c38cbbe050d1de383625f414606010d55d7b

SHA512
8790e0f5727df47b93da923ed1c9ff8389aef88932f6a7e6ea3b2b137b6421f03ece2f972cf18f8a2f8a6af78362b022aa58c36d5bc0047f0a523afbf132cfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivvyn.exe

Filesize
223KB

MD5
57bcadb40d995fa198959cae471b5f20

SHA1
8baeeec62c2fcd2f8ba694ae5444cd6d0d526a82

SHA256
eaf731db98b202aff7b7fc00f6101eb50359b306c14230bdc681875d3d8414d5

SHA512
0acfe506f204ec5b362f0d5a5811dc9a65f78657841db84290706160863f9ebef8102366cb1dae602e9216d42d66ecdd1db48b4aecc6bd20e3251adab5490bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\maujl.exe

Filesize
449KB

MD5
9b6389050dd9799bb4a80028dce6e3f7

SHA1
7d14c547ec280f565db812cd217c13f054c850f0

SHA256
2371d760fc7b4a00c7541a18f98942d32e463cf35216fbf66009d1c786bc18af

SHA512
f6b79cb995c437d8032981f6b18afef57878c912013fa4418a58ca327d28baf0b224b5624534f7b16a6587253ad7fcac3dce714334fa461721e85c9d4d4f3b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\wazenu.exe

Filesize
449KB

MD5
74ab06a50fd2f5e9d8f3b79880ffa8dc

SHA1
1c797a649f2eeca5fcab52c7f49527c39d7acde1

SHA256
2e8a8ee8e904a9b5e49fd56dfc93a515db09e9f3790b674f0bd0961946eee5ab

SHA512
1d28688b0612422fbd05133c734223976f69e24cb0bd7ad95a3ae92cb9714a79c860e704018257c9493732a0c27b3fc5d20cbf8ee6e2492df697d70f6da14188

Download Submit
memory/2340-42-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2340-45-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2340-44-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2340-36-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2340-43-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2340-41-0x00000000000E0000-0x0000000000180000-memory.dmp

Filesize
640KB

Download
memory/2656-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3028-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3028-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4064-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4064-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download