urelas | cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
Size

555KB
MD5

49578e06b681e1ad56ca5fd417aef0fb
SHA1

e6cbb060c5ab504f2ec3f2cc2f621eaed907727d
SHA256

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52
SHA512

75f26a3d205875d322337b5398b8627e77690d8c52f8db73e4391b846d0101f8a1fc4569d3d7ba0b209d7d8af1a2c730dc59f0f4f0115da1ed7460e879907471
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fewaf.exe

Executes dropped EXE 2 IoCs

pid	Process
1300	fewaf.exe
3396	xekaz.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4996-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/files/0x000d000000023a67-6.dat	upx
behavioral2/memory/1300-12-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/4996-14-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1300-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1300-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xekaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fewaf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe
3396	xekaz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 1300	4996	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	87
PID 4996 wrote to memory of 1300	4996	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	87
PID 4996 wrote to memory of 1300	4996	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	87
PID 4996 wrote to memory of 1168	4996	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	88
PID 4996 wrote to memory of 1168	4996	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	88
PID 4996 wrote to memory of 1168	4996	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	88
PID 1300 wrote to memory of 3396	1300	fewaf.exe	108
PID 1300 wrote to memory of 3396	1300	fewaf.exe	108
PID 1300 wrote to memory of 3396	1300	fewaf.exe	108

C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
"C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\fewaf.exe
  "C:\Users\Admin\AppData\Local\Temp\fewaf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\xekaz.exe
    "C:\Users\Admin\AppData\Local\Temp\xekaz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
16f866800d1bce0d461c4bf1d5cc826c

SHA1
dbdd17e36e972d424cd619b2deca408138b4a533

SHA256
f5422ceeba01071192926f939989bfd89156fcaa4cf7f586897de881ee34b1c8

SHA512
5dd2deb742a6250871301e90321cac04eba0fbc8e009bd506712159646a00e327f97efc2c2c3461ca2d325e151e0af7a4f739f22613705eb889faeb8b5b7acfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fewaf.exe

Filesize
555KB

MD5
119a1286c1ff1a03ffca11ea7a60bca4

SHA1
7d0a5f322ce201e7343d13e3397a37555d913356

SHA256
ca7ed7fe68a0120d5680d1bbeb65c86e54131cf08bf250eb30604b3a100e6be0

SHA512
df87c00e233db3fd5a9abe846f1003b9c9683a73fe5972d95e8ca88f5ea8e9a2469371b8ac7de523c05457dbec6787b8f2709a54f5eae977390a325a928db0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eedd50c3026b57a3101026fd32205227

SHA1
3972ac92107a6747047e14df45e9f7f94ac24301

SHA256
099b692ff3f03406c0f4a16e1c637fc06b4e7b3c657ac839bac8bb126c2e0aa1

SHA512
073ef580bad92199262bbed0261a8aa34b40ca8829ab305b177e4d5a6de311ab0d220f60b80dc7ad71cb518e5f1562083b0bbd6f45d38516c8667b897a9edb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\xekaz.exe

Filesize
194KB

MD5
a73fc722e5b6d2dd592b52470eb2398f

SHA1
8bdbc3994cebb80986c71157b5014a6eebf8f858

SHA256
0fa9c52beb00274ab2353bac1e79f00c83bc13a942c819cfd3a61e8f2916153a

SHA512
6ac4f622fdd5119c8f3c89b7c6bd920736fc3b713e409f4bd3b187c06e5fcc804fbb6294126f2d6ad6c0c8145c2f78fb9115ff93f54626baba98d84478175c39

Download Submit
memory/1300-12-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1300-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1300-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3396-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3396-27-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3396-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3396-31-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3396-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3396-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3396-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3396-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4996-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4996-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download