urelas | a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Size

335KB
MD5

32b6decf1f8f55af9dc2a48997ebf910
SHA1

b19a9b5476ec7afa01a63083dea8961119652928
SHA256

a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482
SHA512

d2a82fae0b0621190260475b39f2d040cee0c25f302f5a4f60c164accfdad26d07b8df1cf408588f93769a1b56d12aa167200ef9880795794dd6d669ba14dced
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	kyuxu.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	kyuxu.exe
2560	xuzec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuzec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyuxu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe
2560	xuzec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2360	4020	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	87
PID 4020 wrote to memory of 2360	4020	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	87
PID 4020 wrote to memory of 2360	4020	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	87
PID 4020 wrote to memory of 4476	4020	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	88
PID 4020 wrote to memory of 4476	4020	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	88
PID 4020 wrote to memory of 4476	4020	a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe	88
PID 2360 wrote to memory of 2560	2360	kyuxu.exe	107
PID 2360 wrote to memory of 2560	2360	kyuxu.exe	107
PID 2360 wrote to memory of 2560	2360	kyuxu.exe	107

C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe
"C:\Users\Admin\AppData\Local\Temp\a50e91bdcc42084065dadf56c3738ba142d537147fdef38db2f05713aad27482N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\kyuxu.exe
  "C:\Users\Admin\AppData\Local\Temp\kyuxu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\xuzec.exe
    "C:\Users\Admin\AppData\Local\Temp\xuzec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9a048aa325b4689fdcfd1e04de51f69b

SHA1
5072d2a39083b15bceb55a02483f35eda0ad9150

SHA256
e99675057f0b5161be35b2ee5baf34c89f00962c77ab2307860014e46e890727

SHA512
5e66b9da190a61c7814fc2961f6135a15a53a975fb2fef3cd1957cbd9541c4b8acaf37bd0ef479e7be898813460692a02c4618d8de699a166365e11b15d3ac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c8c8e15e82e4a00925c00158bd25cfa2

SHA1
8152fd0ee96945880eb555e11ef8c6ee70de53ea

SHA256
092134a1616e4f98505358573ab5faface5b86498443a8d422fcb5bcbb70cb68

SHA512
037bd44346b56def5304b65f84cc7ead6bca7e51cc13e7f7d90427a2c2dd560622575d6ae9380e5f4f7bd9c80eeb75d8da910c9770515855e894e3d064d15209

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyuxu.exe

Filesize
335KB

MD5
790fd8b8716829f100c34e0e951be80d

SHA1
8a203d6708ddc49e47275b001e17523387680136

SHA256
9f040d79aa5274d28ae92c47ce1ce5cbb1072b2242b6fbbb1ba467f8b81d5b3e

SHA512
6efc899ef84fce8ff826b9b934fee21b95e40fa99bec8b368f96861a547712ec97bc06a7bd7c6c9301d2749fd215c349a779df30cd961908fd2649a4ef5ff3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuzec.exe

Filesize
172KB

MD5
de7efc1ef7819b113e956791c52e56df

SHA1
d763609afcc5c5a8f898e29adf3110c530d962a0

SHA256
3110b0a23c307395ed17e0ef81093821719901cded54ea7f8bb027c0651a7c69

SHA512
256fe6ca252ffc5804c2af026dc95a6d15d80126d4500ade3e5aaff643e16c287f348498d08429e87fa2d89c3c909dfd9a0345a1d4729974aff5e66dea0a47b1

Download Submit
memory/2360-21-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2360-41-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2360-13-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2360-12-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2360-20-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2560-46-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2560-39-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2560-38-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/2560-42-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/2560-47-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/2560-48-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/2560-49-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/2560-50-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/2560-51-0x0000000000CC0000-0x0000000000D59000-memory.dmp

Filesize
612KB

Download
memory/4020-17-0x0000000000E30000-0x0000000000EB1000-memory.dmp

Filesize
516KB

Download
memory/4020-1-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/4020-0-0x0000000000E30000-0x0000000000EB1000-memory.dmp

Filesize
516KB

Download