urelas | 60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
Size

327KB
MD5

211974cb67a1ada8a164b7bd3529b0fc
SHA1

c2ce238eb3905d86339cc05ba995c28ee027de87
SHA256

60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae
SHA512

ad75fb7d6d998dd0b535c02e3067e0e21289a7c8e328c27d8329e2c31e3fc8739a8a27ee0e9cc2139da9a1d1115c668de77fcfff5f6988084f503fb7187b0271
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYn:vHW138/iXWlK885rKlGSekcj66ciu

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	azxof.exe

Executes dropped EXE 2 IoCs

pid	Process
4688	azxof.exe
3012	uxysa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxysa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azxof.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe
3012	uxysa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4688	2872	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	88
PID 2872 wrote to memory of 4688	2872	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	88
PID 2872 wrote to memory of 4688	2872	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	88
PID 2872 wrote to memory of 2620	2872	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	89
PID 2872 wrote to memory of 2620	2872	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	89
PID 2872 wrote to memory of 2620	2872	60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe	89
PID 4688 wrote to memory of 3012	4688	azxof.exe	108
PID 4688 wrote to memory of 3012	4688	azxof.exe	108
PID 4688 wrote to memory of 3012	4688	azxof.exe	108

C:\Users\Admin\AppData\Local\Temp\60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe
"C:\Users\Admin\AppData\Local\Temp\60cb8f57ba0f009a441e09db7f876af018d6eb7ebded61d09799fe7fc71585ae.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\azxof.exe
  "C:\Users\Admin\AppData\Local\Temp\azxof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\uxysa.exe
    "C:\Users\Admin\AppData\Local\Temp\uxysa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d25a635a53142e2971e71acce13bcaa9

SHA1
22728a460175607a8f611ba21e6fe7501177ef3e

SHA256
d528732a39e62f4d98641fea8b15ae32a49dfcee78fbcfeea6d872ca07d7cfc5

SHA512
7c26ad1f319559c1c261eb808aa1faf1a103b4a02b21595ba311380c5d2f3ce12e3c3a1499e7d6fe36bebd0573eec3897f8faa1d52191475ed6604fd30c1d5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\azxof.exe

Filesize
327KB

MD5
f3d02e21220efd2e0a246026e249f4fe

SHA1
ff6da3a82de6e56cae5b5a375d6a08454b4d2cd2

SHA256
316e8ba2b848d3bc89bc7c4d286932ad725645052707c5e88f08d55d988cfb38

SHA512
e8901a9f5aae93196096e74938d2fb6d1d104b0190801ed120451658977873fadb8139d36e142f821c8dbce52b62feac7e8a6ea4d33f19e615dae0b4734ac7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eaa0a4849902c1d9dd9edb5fff867a61

SHA1
6c3039fc5e6d1f46a8a108d2b1339672efd76be3

SHA256
0fb6061fac6d67d838804540d7e76fe7f6443b1046a68fe035b8028e750e7495

SHA512
2446c5b88722f20529f5f69c331cce0577208a6c1f4e04d06aa8e33837495dbb148c316e5e2dc184f58a1aff6b6616e300fba6ad92ade8b79ae26eb80e6792f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxysa.exe

Filesize
172KB

MD5
117e20e3bdb3cda1fedbf0c372df47d7

SHA1
7253acb48d4e673b79bf07f94ac91a6eb24871ae

SHA256
27b46b398c244776dc19c4057ad3624b5cdf78f88df19ae5d2c0195b27be692f

SHA512
6f88d3513e56406a05bcef63314846a4c23958650e17fc3c49a8097b626bd11a7b0c9c155b14de878d2a4a931ce811c7090541694d8420111cbc4609450b8849

Download Submit
memory/2872-1-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2872-0-0x0000000000E60000-0x0000000000EE1000-memory.dmp

Filesize
516KB

Download
memory/2872-17-0x0000000000E60000-0x0000000000EE1000-memory.dmp

Filesize
516KB

Download
memory/3012-36-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3012-41-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3012-39-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/3012-45-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3012-46-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/3012-47-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3012-48-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3012-49-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3012-50-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/4688-20-0x0000000000250000-0x00000000002D1000-memory.dmp

Filesize
516KB

Download
memory/4688-13-0x0000000000250000-0x00000000002D1000-memory.dmp

Filesize
516KB

Download
memory/4688-14-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/4688-40-0x0000000000250000-0x00000000002D1000-memory.dmp

Filesize
516KB

Download