urelas | cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe
Size

332KB
MD5

a483e212eee2562eaef4759e146545dd
SHA1

58bf3dc2c9c6bf219429752eecc5b79ffe64599e
SHA256

cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502
SHA512

2c38a5960a8f02785d4a016eb841f8ae3206416bcd1402e043075cd4151260a95363fc19cd63aa8eaa075ffa949ee471d895159119cc6836d2c7dbc233af34b7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY0:vHW138/iXWlK885rKlGSekcj66ciJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	toabn.exe

Executes dropped EXE 2 IoCs

pid	Process
1976	toabn.exe
5004	cunox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toabn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cunox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe
5004	cunox.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1976	1856	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	87
PID 1856 wrote to memory of 1976	1856	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	87
PID 1856 wrote to memory of 1976	1856	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	87
PID 1856 wrote to memory of 4288	1856	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	88
PID 1856 wrote to memory of 4288	1856	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	88
PID 1856 wrote to memory of 4288	1856	cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe	88
PID 1976 wrote to memory of 5004	1976	toabn.exe	99
PID 1976 wrote to memory of 5004	1976	toabn.exe	99
PID 1976 wrote to memory of 5004	1976	toabn.exe	99

C:\Users\Admin\AppData\Local\Temp\cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe
"C:\Users\Admin\AppData\Local\Temp\cf520deda8e9445d2dd41e54b9bcdfef0041bae6e43a421d53dc35bf33746502.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\toabn.exe
  "C:\Users\Admin\AppData\Local\Temp\toabn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\cunox.exe
    "C:\Users\Admin\AppData\Local\Temp\cunox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
05fad4023643934edb845cd4f0e35074

SHA1
af4bb724c2697da130488152475135de2aa24c4d

SHA256
17c5f570e988f0efa42e0be213fc971821ed9a18bbaab104ff8e885a189daab7

SHA512
28d0ded44e49d3dd1f81d30be3307259c9e3d9af44631ee0723dd73c323d1077b1da64e8f36768ee534c515aed51b47a1a5e1fd47af50878578faf4c53bee816

Download Submit
C:\Users\Admin\AppData\Local\Temp\cunox.exe

Filesize
172KB

MD5
3bcc83d2baa6a61bd611d65ad605f402

SHA1
1830adb3821cc2870aed22ba46523e931528252f

SHA256
94cdb0575df44479eb42fa351fbe92084d73e4b0e02c01cdf4a20df3e5603cc0

SHA512
0faefe65a7058a6753aab0f01ea82ee2acec550e937fb956192a5bef7857bac443448864947c087b1fc8343d76d0a3b889058bb87b280a2a50805816a809237a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cbcc022fcecbd2060693759e91a90e3b

SHA1
7411e7be43ea2a51154fdb9d3b17c7f7b48d97f4

SHA256
907a2c8003e77c9539f3e79772fa527bedcacc78678552c2b68108ce76539185

SHA512
67be4511d87ef564becb25ca909ed9cdde283d865f296cf1c44339b93abf624b6aa5129c8a63b269ba1113cc54667a370fbbb382427af2dec6c46b06626c85fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\toabn.exe

Filesize
332KB

MD5
9dabb946f130f7ee872ed992449d5462

SHA1
daf83198a6804fd7f59b03d6c87247b1dee3181b

SHA256
ea3d846168f0ea1dd8d3ece79a07e75d821a49937f0e65aa4f0b7d914113cd28

SHA512
bd60446f21d368ab7a58828f1b3057ff798fdbed59edac8871d38418ac30d78107a6b3cd9be49ea31457f39df7a0310f6be3ee2bf49db7ce61d653065ee3beb3

Download Submit
memory/1856-17-0x0000000000710000-0x0000000000791000-memory.dmp

Filesize
516KB

Download
memory/1856-1-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1856-0-0x0000000000710000-0x0000000000791000-memory.dmp

Filesize
516KB

Download
memory/1976-44-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/1976-14-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1976-21-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/1976-13-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/1976-20-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/5004-38-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/5004-40-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/5004-39-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/5004-46-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/5004-47-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/5004-48-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/5004-49-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/5004-50-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/5004-51-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download