urelas | 8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Size

331KB
MD5

9f78b4660bf589e6368eca545febc800
SHA1

edb884285f8a54ac6ba85d3e7204b3425e1eadfb
SHA256

8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038
SHA512

aad9405ef2f393d6ab62e0e09c97d1cd2a27fb1ed028a4dc154c2403529d6fce8a5f1a8acad7acb3aaff9ceb5dfe021bea27d4042269fb7c0b6604fbe99222e2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVJG:vHW138/iXWlK885rKlGSekcj66ciEQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	xojif.exe

Executes dropped EXE 2 IoCs

pid	Process
3524	xojif.exe
3608	zulic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xojif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zulic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe
3608	zulic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3524	4840	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	86
PID 4840 wrote to memory of 3524	4840	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	86
PID 4840 wrote to memory of 3524	4840	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	86
PID 4840 wrote to memory of 416	4840	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	87
PID 4840 wrote to memory of 416	4840	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	87
PID 4840 wrote to memory of 416	4840	8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe	87
PID 3524 wrote to memory of 3608	3524	xojif.exe	98
PID 3524 wrote to memory of 3608	3524	xojif.exe	98
PID 3524 wrote to memory of 3608	3524	xojif.exe	98

C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe
"C:\Users\Admin\AppData\Local\Temp\8985d536f720d970aefa4c4a2e92793c818517b546a4b9381747810fb0eb9038.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\xojif.exe
  "C:\Users\Admin\AppData\Local\Temp\xojif.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\zulic.exe
    "C:\Users\Admin\AppData\Local\Temp\zulic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cce5db9a9c3927a00964efd0d09ee9fb

SHA1
2ecbcdb5b55724f97823b0585acb44c5d45afd24

SHA256
5a7d5053843c15912e8092a229ab9243d7859c365454769b3a7203fc1c45ce29

SHA512
17c1da65199112e71fea987b160560836348d55e401706195ac958d5a2994b19900aaa8d13895f2601bc76c05dd610fd7659be5a8eadbb760f3c9f42b7a52f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ce2b541d8504da3ad054296fcb231dc4

SHA1
050e51d21532c6965c69c690df17bf3f72114824

SHA256
0deecac4203b2430560852b8c62811b7eb0c8d1624eb8c2b46399265b7e312fa

SHA512
b543660f56d7de93608b82a5225f2bf2c62272fb7250772a0df90ade08b96e99348733f2e0c32631e0996e40dd897a4ccfd2ba1941fb52e89f0c0da7e2da3f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\xojif.exe

Filesize
331KB

MD5
ac7fc266f525de7a5c908026832b158e

SHA1
0a5b05077885af897c303ddeddc48a264ab516f6

SHA256
1b897b4018e43ed99aca5823da6907f253b9723e1f4846f6da66516b28a93a59

SHA512
7a883dea2c23af376eb79028476865ae610e3409004a1548eee6ead56ffb491b939e9184804de848dbc4e6f91271538108838afd0af309a5f8e528fbe35b1164

Download Submit
C:\Users\Admin\AppData\Local\Temp\zulic.exe

Filesize
172KB

MD5
45329c1dac9b65ec98061ca0d884a9ca

SHA1
8528b02721d1b77908903dd54131ce09b145fa1e

SHA256
badd0d55a2c1988f59647dd378034387f5a9fe35b96444240907756af55c7915

SHA512
d85cc2ddafa08ad978776523cab377094fb7a7a5ebee1ea65caa25b9e8e3998f56f1aeef87107dabf72a0db7e90b3083ea033839d9518e93302860ea40cb8c46

Download Submit
memory/3524-20-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/3524-40-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/3524-14-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/3524-13-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/3608-45-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/3608-38-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/3608-37-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/3608-41-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/3608-46-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/3608-47-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/3608-48-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/3608-49-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/3608-50-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/4840-17-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/4840-1-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4840-0-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download