urelas | cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Size

513KB
MD5

ae2d2d119ec1eeb560351d63f29686a0
SHA1

300bb668d1e576c9afa7526b215c1ec8289f0f48
SHA256

cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6b
SHA512

1434765eb802c8b48c131a0193bdee4d18f7f3fb64843b0095e1c529fa3d0a76bbba8e2d8b5008cd33c82d16b0c9e30fcaf6cdac88b346a735f1088507925e08
SSDEEP

6144:uqXAoQT5Tr9R0HN/3w36EnCYLTczsMr0jnE/QhyjxJBErrZAWkPW5oeNtLjsOidS:BQRI/3w36EnCYckE/iydJai/WZt3

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	evgud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe

Executes dropped EXE 2 IoCs

pid	Process
4784	evgud.exe
3572	xovik.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000705-22.dat	upx
behavioral2/memory/3572-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3572-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3572-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3572-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3572-32-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3572-33-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/3572-34-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evgud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xovik.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe
3572	xovik.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4784	4780	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	87
PID 4780 wrote to memory of 4784	4780	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	87
PID 4780 wrote to memory of 4784	4780	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	87
PID 4780 wrote to memory of 5056	4780	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	88
PID 4780 wrote to memory of 5056	4780	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	88
PID 4780 wrote to memory of 5056	4780	cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe	88
PID 4784 wrote to memory of 3572	4784	evgud.exe	99
PID 4784 wrote to memory of 3572	4784	evgud.exe	99
PID 4784 wrote to memory of 3572	4784	evgud.exe	99

C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe
"C:\Users\Admin\AppData\Local\Temp\cf762dddf83079387587b6b09837338e00cb1fb738eb9008d83201a772f98d6bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\evgud.exe
  "C:\Users\Admin\AppData\Local\Temp\evgud.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\xovik.exe
    "C:\Users\Admin\AppData\Local\Temp\xovik.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
97fd8da4f233438ece45b12adab2f24e

SHA1
1b43e532e19cf207d167f13f7584e0756f6cd6f6

SHA256
36003db861c347b93225fc5b0c564db2511bcdd2658f6fdcdc40dacc7a640db7

SHA512
6a3f7a63b59e9e82ace17e6e5c96b945db6910dcb455715aebd867904d7e7ce1e6f18a3e34a5b82c6dbb193b2794528fabf54cf035f8f189049301486029b5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\evgud.exe

Filesize
513KB

MD5
7cb35264b5d4f1a46194d2cb99299557

SHA1
0d95129639e36c77238b0ca74db17d0e95cef938

SHA256
6975bff5848eba58b6463caa7a9f3663df7f721cc3ac5d845f911d706e711f63

SHA512
86f56e05d282b4029ac3c57888d4aec7130f36a4afce301240a0f32bc5e084b5375b596d6bd6e24556a664378729ab7ea22cf017b233482a45627028c5aed3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ea98a34c114a8a69354560fa5e9bf9be

SHA1
80f18ee5ed92005609052f0e3ab006cdd553c0f3

SHA256
9982ba97274b237bc8cdb8aafefe6876ecccf7150069cec8cbc2e5778bb74f92

SHA512
4c293d6530027b34477451c2eb998d91368f439c2703ee999fbd2f01be681d12c9e4ff631b9136b8aaa34818a29b9491762f24527578ae21edb109d0921dc350

Download Submit
C:\Users\Admin\AppData\Local\Temp\xovik.exe

Filesize
209KB

MD5
c8fe902084a1d3ca36f160dc03753be4

SHA1
7105a5515e0f4caa722904636a1d5c02c2c00258

SHA256
cc6355f01c8f3f6d846b03216cd11cf931054020b1464dde095cf8b780155ad9

SHA512
cd78286946379ad567162e5332a3f7f9b04a6f3bde5de15e642a57ae9be8f972986fe9eadfedaa77ed5912e9d6ad277804b377a056779d8717b8ace559a61cc4

Download Submit
memory/3572-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3572-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3572-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3572-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3572-32-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3572-33-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3572-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4780-14-0x0000000000EA0000-0x0000000000F27000-memory.dmp

Filesize
540KB

Download
memory/4780-0-0x0000000000EA0000-0x0000000000F27000-memory.dmp

Filesize
540KB

Download
memory/4784-17-0x0000000000060000-0x00000000000E7000-memory.dmp

Filesize
540KB

Download
memory/4784-9-0x0000000000060000-0x00000000000E7000-memory.dmp

Filesize
540KB

Download
memory/4784-27-0x0000000000060000-0x00000000000E7000-memory.dmp

Filesize
540KB

Download