urelas | 44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Size

660KB
MD5

a6266879bf0a44e874cd31d192bdf5f6
SHA1

9de67ceec7bdf912b1d798fbd19420529e379625
SHA256

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c
SHA512

d242b534f687127566973a8cb9357ae906d43f3b03b99e6127bb174ef1a1ad98b496a5a1d6cd3d64d294aad62bdbef7bcb6a3fe4ed1eed1d57342d8bd0b85244
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqL+:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0Y

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exexafeo.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	xafeo.exe

Executes dropped EXE 2 IoCs

Processes:

xafeo.exebixyb.exe

pid	Process
4992	xafeo.exe
4320	bixyb.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1784-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/files/0x0002000000022b13-6.dat	upx
behavioral2/memory/4992-11-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/1784-14-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/4992-17-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/files/0x0002000000021f4b-22.dat	upx
behavioral2/memory/4320-26-0x0000000000380000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4992-27-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/4320-28-0x0000000000380000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4320-29-0x0000000000380000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4320-30-0x0000000000380000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4320-31-0x0000000000380000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4320-32-0x0000000000380000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4320-33-0x0000000000380000-0x000000000043A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xafeo.execmd.exebixyb.exe44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xafeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bixyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exexafeo.exebixyb.exe

pid	Process
1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
4992	xafeo.exe
4992	xafeo.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe
4320	bixyb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exexafeo.exe

description	pid	Process	procid_target
PID 1784 wrote to memory of 4992	1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	87
PID 1784 wrote to memory of 4992	1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	87
PID 1784 wrote to memory of 4992	1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	87
PID 1784 wrote to memory of 5024	1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	88
PID 1784 wrote to memory of 5024	1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	88
PID 1784 wrote to memory of 5024	1784	44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe	88
PID 4992 wrote to memory of 4320	4992	xafeo.exe	107
PID 4992 wrote to memory of 4320	4992	xafeo.exe	107
PID 4992 wrote to memory of 4320	4992	xafeo.exe	107

C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe
"C:\Users\Admin\AppData\Local\Temp\44128ee9635eb21323cf8fcc8aa08ded62186bc4da07687915ccf20afa6aaf5c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\xafeo.exe
  "C:\Users\Admin\AppData\Local\Temp\xafeo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\bixyb.exe
    "C:\Users\Admin\AppData\Local\Temp\bixyb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
b23e7f2f3c58c3d21b81b382cba96da4

SHA1
780679cc0d062f165ac6ef06869f105c70675291

SHA256
96d14de4bb9c7ddf259885a0f6d3f22a37c193ed453824e0048d81f5cda23f2d

SHA512
e212967f932797035c0e48efa1d4fb0441304e1f074367ddfd20f2d404224f5729d7fde5feb54076fb1940674c381ed16a89df04bb20d170df2f881b78ec9b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\bixyb.exe

Filesize
243KB

MD5
5fd21fd2f243f8128684a3bd7aadf682

SHA1
9bbaa008964c7db7b8b91bee9815891fda3828dc

SHA256
481b648b273de5e7bac22d335fba46ad4409d3fa8b88f7e7ddd9786d8f62e5ba

SHA512
2f067472e87416c7b344d125ef38ff62cdd6c830bd19e2c40c6bcabde669c9d7ccf669ee9407b57de229dda4ece396ad176707b95b99da980637699f7e294d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d466c384e76da8e427fac073d472db30

SHA1
55d228ffcc61468e9c343079aa12a97acb1b2948

SHA256
dfe23af93f9f5210fa75462e1d6ac5d63d83ebaf221fe93e1e0b8ae235eb4158

SHA512
d478e9c40cbbb968ba11d5dce1e7c44fbb6ebf090e13a53a3de21be1160d59567ef21ff2cf6457f7d1d51361bc0f664e682d164cdc9dfacf206c1e8967184567

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafeo.exe

Filesize
660KB

MD5
4186196208a96735c23bdbf40e5430d1

SHA1
57bd41e9859b9ff876e55e8dfe4037f5e51db8ad

SHA256
4a8112618db33ca7c07415ccd871dff6b06bf853cfa7f67783e6a0f8cd94c457

SHA512
d39f9ea97a82b58b5480737475cbce35fc3cc5d8f737a017846e7c8ca56606d4120998eeb88496881c10c127880440ee58052900afd4a312de9ca517dcf05bb9

Download Submit
memory/1784-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1784-14-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4320-26-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/4320-28-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/4320-29-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/4320-30-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/4320-31-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/4320-32-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/4320-33-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/4992-17-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4992-11-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4992-27-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download