urelas | ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Size

327KB
MD5

3a42324892ed90b441f4ca7f5003f197
SHA1

df571092643708c31152b637ed2f1887a8f7cbea
SHA256

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a
SHA512

68c2a41f56bf984f95a3fcc055c96e98a7c8b35dee9b20744b9704369a30a2311965106cbde0fbd71f9d3fb4b240e4201c16efd889069d6f0d08601d7dd601b3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI:vHW138/iXWlK885rKlGSekcj66ci9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ryysd.exe

Executes dropped EXE 2 IoCs

pid	Process
2568	ryysd.exe
3200	oroba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryysd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oroba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe
3200	oroba.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2568	4648	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	87
PID 4648 wrote to memory of 2568	4648	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	87
PID 4648 wrote to memory of 2568	4648	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	87
PID 4648 wrote to memory of 4112	4648	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	88
PID 4648 wrote to memory of 4112	4648	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	88
PID 4648 wrote to memory of 4112	4648	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	88
PID 2568 wrote to memory of 3200	2568	ryysd.exe	105
PID 2568 wrote to memory of 3200	2568	ryysd.exe	105
PID 2568 wrote to memory of 3200	2568	ryysd.exe	105

C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
"C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\ryysd.exe
  "C:\Users\Admin\AppData\Local\Temp\ryysd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\oroba.exe
    "C:\Users\Admin\AppData\Local\Temp\oroba.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
aa871695149228d63195c3cfab93b26f

SHA1
450cd094bce0bc3c7cd398d2fa89528c88a7c954

SHA256
1f46b535ae994c35cb582bcc7d12340ad844492ba41b318f0461f3ddcda99017

SHA512
916be60582f9d1d10cae48ad08e33bd7932c17ded77d3bc2051bf7b089feb9e4e29e1645a94c1b4ba93739d1304c7c345e3d022d8bcf15ecb5cea33fd13311b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
99ab46aff77f2a14d826e5edc4c0c58f

SHA1
97b34305fcbfd9ca22ef136fed37298f4b8bb2c4

SHA256
da9abf71ad34473e9a56243d48c21b1e138ce5e9191671a2843e393117ae5fe3

SHA512
c7d2f8b811777fa3efb03412a9ca09f31b099c017d94848aa7da9e046eb46f76dd099d316740416d6cc731327433a5960efeabf38e17d86935f64e960e29b988

Download Submit
C:\Users\Admin\AppData\Local\Temp\oroba.exe

Filesize
172KB

MD5
52d1c91796060f0ed7c8f15d873f2a63

SHA1
94e5484f69ae6245fb9e0991564968159b1f7c3f

SHA256
8ffc51bccdf2817dfd24cc1b6060c939156df36834da3dee9251d7fc6f78e55e

SHA512
7a3135e7f603d8a8e65780a65ef3133f405127bc36f801fed0cb82d7f9b91c075f65392e19f0f9cc35dd7e10a76c78d684a66e3d83521fd5714726e04fc3bbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryysd.exe

Filesize
327KB

MD5
bd17f3c9be9a1ed27be8ffeb32caecc3

SHA1
256187247320246d08f726c22a07c01df3e03ed8

SHA256
5b829c65624da4d447988aceb9ceeeb2285544c815eedb61c099ffb3dec723db

SHA512
03da57e21607daaacbdf0d4dd0c5cdc2d92b13dd682c9d6a77043aa9fa89c0eeac5aa270e8331d87c81d559e6f0707f768a3eba4ac1102486e925368005c115e

Download Submit
memory/2568-21-0x0000000000760000-0x00000000007E1000-memory.dmp

Filesize
516KB

Download
memory/2568-41-0x0000000000760000-0x00000000007E1000-memory.dmp

Filesize
516KB

Download
memory/2568-12-0x0000000000760000-0x00000000007E1000-memory.dmp

Filesize
516KB

Download
memory/2568-13-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2568-20-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3200-46-0x00000000000A0000-0x0000000000139000-memory.dmp

Filesize
612KB

Download
memory/3200-39-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3200-38-0x00000000000A0000-0x0000000000139000-memory.dmp

Filesize
612KB

Download
memory/3200-42-0x00000000000A0000-0x0000000000139000-memory.dmp

Filesize
612KB

Download
memory/3200-47-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3200-48-0x00000000000A0000-0x0000000000139000-memory.dmp

Filesize
612KB

Download
memory/3200-49-0x00000000000A0000-0x0000000000139000-memory.dmp

Filesize
612KB

Download
memory/3200-50-0x00000000000A0000-0x0000000000139000-memory.dmp

Filesize
612KB

Download
memory/3200-51-0x00000000000A0000-0x0000000000139000-memory.dmp

Filesize
612KB

Download
memory/4648-17-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/4648-1-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4648-0-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download