urelas | 28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe
Size

329KB
MD5

7e785f9f8b569204008edd4f0d9839c3
SHA1

daaef1ae66676b19ee118dca0e998d5557d3f30f
SHA256

28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62
SHA512

1f370081d8ddfbb44211087946c74a4d58a5814feb7bdedb3f31d39205106922c255b2150d00653c5116b04cbe25a8636ab04de9a9cccbf407ba8cffcc52a849
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOR:vHW138/iXWlK885rKlGSekcj66cii

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	mukyw.exe

Executes dropped EXE 2 IoCs

pid	Process
3600	mukyw.exe
4968	ludem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mukyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ludem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe
4968	ludem.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3600	3584	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	86
PID 3584 wrote to memory of 3600	3584	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	86
PID 3584 wrote to memory of 3600	3584	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	86
PID 3584 wrote to memory of 3768	3584	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	87
PID 3584 wrote to memory of 3768	3584	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	87
PID 3584 wrote to memory of 3768	3584	28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe	87
PID 3600 wrote to memory of 4968	3600	mukyw.exe	106
PID 3600 wrote to memory of 4968	3600	mukyw.exe	106
PID 3600 wrote to memory of 4968	3600	mukyw.exe	106

C:\Users\Admin\AppData\Local\Temp\28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe
"C:\Users\Admin\AppData\Local\Temp\28c8345ece98e67ea577d55d641b61db581c4904bf9071355517bbcb38620b62.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\mukyw.exe
  "C:\Users\Admin\AppData\Local\Temp\mukyw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\ludem.exe
    "C:\Users\Admin\AppData\Local\Temp\ludem.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
559343e429ba4ff497d5d33e6114f5ea

SHA1
0417c432be9e15544b2ab06c65c34160bcf78e21

SHA256
6b8561a4d1330263ab8cd9254adf5fd88b211eb9f95dca7cd3a82cac45a65645

SHA512
c40cdcda24500fddd0515f7c50a0dab44da5ceb7ca4601dd4b8336ed79ffec3708583ee5dce5b3a5954e8e68de9ce032fdd23a8235dc6a4334d470f120102ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9dab935245d14b3f3e09b4f0ac03c4e3

SHA1
a658f1e8652758b7e24fc5e3f1de925231d566c6

SHA256
aaf6d3a40830995341b9bc050ca49f5652a159af3653a6192866bfea5b7b972b

SHA512
fb97565acc0debcda6caf36623126b25d29bd8114ce632b2a34764b8d1b9e4bf54e67e080208d8b73c07449f3a2f800944f04d1c7c9376e5762a922e97574fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ludem.exe

Filesize
172KB

MD5
4973ae62eda537c7dede3c7e82e95fcf

SHA1
92a67bccb03d2bbde624f01fd7232326caefe3b0

SHA256
50b182b29b1f4e0c589f01b78de890f7777fa706f96aba84832a7527103c06fb

SHA512
b6e2607e7094b9b38e80270891b7ebee2073226ddc1e827b0d4764d9ac1922699eefe15c3aa874a9b32746b495dee0cd3b147dafae490041909efbd8382ab4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mukyw.exe

Filesize
329KB

MD5
7364f2f71fcc33224eb93b69b1959e37

SHA1
2a9874e9ec2ea8b1d8cf1f2b12fc62f138a771d8

SHA256
6e35f2ca522f7a78395f066131fdb654b5d2cf12ccb2aaf62cde96a55c1f1504

SHA512
f25ecb9e35b269b7fc2bae0bea4a913f2f95d0ca95217a652199ce1b49b31e0f47121150e6aebd8e848ecd367220f67b6b8475dbbcaac67886b4560487186fae

Download Submit
memory/3584-17-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/3584-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3584-0-0x0000000000A80000-0x0000000000B01000-memory.dmp

Filesize
516KB

Download
memory/3600-39-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3600-11-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3600-14-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3600-20-0x0000000000D30000-0x0000000000DB1000-memory.dmp

Filesize
516KB

Download
memory/3600-21-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/4968-41-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-37-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-44-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-46-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-47-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-48-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-49-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-50-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download
memory/4968-51-0x0000000000160000-0x00000000001F9000-memory.dmp

Filesize
612KB

Download