urelas | ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Size

327KB
MD5

3a42324892ed90b441f4ca7f5003f197
SHA1

df571092643708c31152b637ed2f1887a8f7cbea
SHA256

ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a
SHA512

68c2a41f56bf984f95a3fcc055c96e98a7c8b35dee9b20744b9704369a30a2311965106cbde0fbd71f9d3fb4b240e4201c16efd889069d6f0d08601d7dd601b3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYI:vHW138/iXWlK885rKlGSekcj66ci9

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	xequq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe

Executes dropped EXE 2 IoCs

pid	Process
1420	xequq.exe
3096	surir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xequq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	surir.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe
3096	surir.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1420	2792	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	88
PID 2792 wrote to memory of 1420	2792	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	88
PID 2792 wrote to memory of 1420	2792	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	88
PID 2792 wrote to memory of 4360	2792	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	89
PID 2792 wrote to memory of 4360	2792	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	89
PID 2792 wrote to memory of 4360	2792	ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe	89
PID 1420 wrote to memory of 3096	1420	xequq.exe	106
PID 1420 wrote to memory of 3096	1420	xequq.exe	106
PID 1420 wrote to memory of 3096	1420	xequq.exe	106

C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe
"C:\Users\Admin\AppData\Local\Temp\ecf7c04166f05df4bf3ba71e0840b8e3c37132d7196613aa267d9553aa73000a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\xequq.exe
  "C:\Users\Admin\AppData\Local\Temp\xequq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\surir.exe
    "C:\Users\Admin\AppData\Local\Temp\surir.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
aa871695149228d63195c3cfab93b26f

SHA1
450cd094bce0bc3c7cd398d2fa89528c88a7c954

SHA256
1f46b535ae994c35cb582bcc7d12340ad844492ba41b318f0461f3ddcda99017

SHA512
916be60582f9d1d10cae48ad08e33bd7932c17ded77d3bc2051bf7b089feb9e4e29e1645a94c1b4ba93739d1304c7c345e3d022d8bcf15ecb5cea33fd13311b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b3f015996a3b01592be204c97ef9d1a8

SHA1
6a59d8459e0d5bfbf1dff4420f1ee63b39529549

SHA256
2479109b1ed0fc2060d7b816143c76e0a1f8165f5196dc6d5b5e42a0eb79a105

SHA512
2d8e1389835ce5ae564904a762091e98206857cbcc07963119a99d2acbbe8e49aff67e16256c4deaa09e2b2203d80d1f43c609a6ae63a0f726ee7b9359ade020

Download Submit
C:\Users\Admin\AppData\Local\Temp\surir.exe

Filesize
172KB

MD5
d638630c1d57eab3d8a8a9f399523c57

SHA1
4adcb105551e517761473cb35ab18db55970fcb4

SHA256
267838183c76c93b53828f550e68cd832a464df0189254b639a940bb1376c979

SHA512
98dd46a7e374771e272278ad0fbfa20127b90b625b07d7be24c6ac0063bad0f0a8b180a0c818d1e15eab29d6e7b833b865aeab8b956e4ed3549736d341eb1fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xequq.exe

Filesize
327KB

MD5
44ac9419a8c7d872f9f9daad18c5e071

SHA1
893dff26f842d419d1d4d721e8cba928487083a7

SHA256
273aa726343f6fa307c79e883eccd61b2865aa7403c1e9a84acfa16d5281124c

SHA512
8864e768ea4522d90660cd59f1d089ded632c40b67e547d5ee3d2ca827f76e1dbc0800e65ca8de972145b475ffa93fbb829f4f81c01e6a8c90c99fd8b07447e1

Download Submit
memory/1420-20-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/1420-39-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/1420-11-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/1420-13-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2792-17-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/2792-0-0x0000000000B70000-0x0000000000BF1000-memory.dmp

Filesize
516KB

Download
memory/2792-1-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/3096-40-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/3096-37-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/3096-41-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/3096-45-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/3096-46-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/3096-47-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/3096-48-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/3096-49-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/3096-50-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download