urelas | 8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Size

331KB
MD5

9f78b4660bf589e6368eca545febc800
SHA1

edb884285f8a54ac6ba85d3e7204b3425e1eadfb
SHA256

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038
SHA512

aad9405ef2f393d6ab62e0e09c97d1cd2a27fb1ed028a4dc154c2403529d6fce8a5f1a8acad7acb3aaff9ceb5dfe021bea27d4042269fb7c0b6604fbe99222e2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVJG:vHW138/iXWlK885rKlGSekcj66ciEQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exequzuv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	quzuv.exe

Executes dropped EXE 2 IoCs

Processes:

quzuv.exebemis.exe

pid	Process
672	quzuv.exe
3284	bemis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exequzuv.execmd.exebemis.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quzuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bemis.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bemis.exe

pid	Process
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe
3284	bemis.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exequzuv.exe

description	pid	Process	procid_target
PID 3264 wrote to memory of 672	3264	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	87
PID 3264 wrote to memory of 672	3264	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	87
PID 3264 wrote to memory of 672	3264	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	87
PID 3264 wrote to memory of 2780	3264	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	88
PID 3264 wrote to memory of 2780	3264	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	88
PID 3264 wrote to memory of 2780	3264	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	88
PID 672 wrote to memory of 3284	672	quzuv.exe	99
PID 672 wrote to memory of 3284	672	quzuv.exe	99
PID 672 wrote to memory of 3284	672	quzuv.exe	99

C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
"C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\quzuv.exe
  "C:\Users\Admin\AppData\Local\Temp\quzuv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\bemis.exe
    "C:\Users\Admin\AppData\Local\Temp\bemis.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cce5db9a9c3927a00964efd0d09ee9fb

SHA1
2ecbcdb5b55724f97823b0585acb44c5d45afd24

SHA256
5a7d5053843c15912e8092a229ab9243d7859c365454769b3a7203fc1c45ce29

SHA512
17c1da65199112e71fea987b160560836348d55e401706195ac958d5a2994b19900aaa8d13895f2601bc76c05dd610fd7659be5a8eadbb760f3c9f42b7a52f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\bemis.exe

Filesize
172KB

MD5
5a992262660ba745b0e9b9a7aa4b868c

SHA1
e2a7f0c2f73ac728da3ee995c66b735786b3dc79

SHA256
6e26d4ec0f3045b9422eb75256aa2fca8e67f00f3328a592601e563c2b85ca77

SHA512
e38f0fab4015b548ca5bba59c3537a15cc8b170e30e417123d5a4575f9a5884ebdd600f6db9607d5ff8b2bfd31f46bce5f211f064b511dc8005923a0d76869fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3f7e39505af04db76b0e1e9230b097c0

SHA1
830fdd28fcd3c276a3642b9f3b76f2a566592797

SHA256
756d40003ff4951357d89d4dec4d2e5959365fbe332795eaed7a7bb4714bff06

SHA512
5351033272dd0f98c44566e07c476d84e26479ebaa360280a1ae1a7948901e65964d1b58f28654c9d2949cb6a0389632f267e0d5f748091ac9f6ea1ca3ad48e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\quzuv.exe

Filesize
331KB

MD5
c12f7a1242a3ae9470e22f4e7833ebac

SHA1
d12c20228044830a76310dabdf2068377047a1a6

SHA256
647c15a43c37ac27e6ef9b990e2e0b039b3a02d18024a85f869e7688d65a71f6

SHA512
bdb2430bd7afee7954704b65f0579dee924ecaa9112abcebaf7107649efb7f7c3d7e7400f03593fb1340b9b3f8451955565ba2b0872d6ed04328af73a7c37d52

Download Submit
memory/672-21-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/672-41-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/672-11-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/672-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/672-20-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/3264-17-0x0000000000820000-0x00000000008A1000-memory.dmp

Filesize
516KB

Download
memory/3264-0-0x0000000000820000-0x00000000008A1000-memory.dmp

Filesize
516KB

Download
memory/3264-1-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3284-42-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3284-39-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/3284-38-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3284-47-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/3284-46-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3284-48-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3284-49-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3284-50-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download
memory/3284-51-0x00000000001D0000-0x0000000000269000-memory.dmp

Filesize
612KB

Download