urelas | 2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Size

327KB
MD5

8683596a79ee62e258067bbadaa4e0b0
SHA1

2804b7a54623958f9feae3720d47cf43d190301c
SHA256

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7
SHA512

776cf6027bfa30d32fb61e54cbed0e9a34a9e20e6645f83cf2e434952a7b9c641410b81ddd816570c41449ce30e90b33b21041d34ba43419526b9ff664fbc97d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exehumob.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	humob.exe

Executes dropped EXE 2 IoCs

Processes:

humob.exevyxef.exe

pid	Process
4236	humob.exe
4060	vyxef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exehumob.execmd.exevyxef.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	humob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyxef.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vyxef.exe

pid	Process
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe
4060	vyxef.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exehumob.exe

description	pid	Process	procid_target
PID 1216 wrote to memory of 4236	1216	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	87
PID 1216 wrote to memory of 4236	1216	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	87
PID 1216 wrote to memory of 4236	1216	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	87
PID 1216 wrote to memory of 4384	1216	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	88
PID 1216 wrote to memory of 4384	1216	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	88
PID 1216 wrote to memory of 4384	1216	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe	88
PID 4236 wrote to memory of 4060	4236	humob.exe	106
PID 4236 wrote to memory of 4060	4236	humob.exe	106
PID 4236 wrote to memory of 4060	4236	humob.exe	106

C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe
"C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\humob.exe
  "C:\Users\Admin\AppData\Local\Temp\humob.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\vyxef.exe
    "C:\Users\Admin\AppData\Local\Temp\vyxef.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8f89209875b68dc7aeabfe4e5d52c438

SHA1
2c9fc8e53f1dbda9a7d4a30f563eec47b2dba870

SHA256
1fbe0b77c72646d6661853e1ed49513eac6cd002259fbc2ccb8a3550f6e79725

SHA512
264828e36193cb454896c4243afd62f27fbd5838903f349ea31998c8de52ec6062f4ae7531d8385613dd01d1f6587d077ac36fa0a9b1a01eb8b7b531346af803

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d018479524884e2979bb5fa3115fb033

SHA1
0105da929efdb93c762ed127cac2b3444390683f

SHA256
91cc0e189c6cea2431fbac885b9566bf34e95fefb8ced4b31e6ae4994b344231

SHA512
f9972a8614e5a9524aa881d376670c70ef4aff886a8b998e7a1a82d5fb81a4ed835d8449230acbfa62c29237cd95f33eb49bfa692de3d56ab9bf3effe784e741

Download Submit
C:\Users\Admin\AppData\Local\Temp\humob.exe

Filesize
327KB

MD5
f44221945a2b0704d2c1846e041a625f

SHA1
27a7d6d9d43fb604777cf223fd48665252570482

SHA256
d07558a6949f223d02247981a61c86b52717734bda3c15d68be86add081ea9ff

SHA512
e8e58a431ad19a00b32d84bd40b8d44a07288e88ca27e737b0cacf2c1496c64c69ff738ee76a8df60721a0e759a9715994fbe92b90a3fb4872e440088d96fe0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyxef.exe

Filesize
172KB

MD5
74db46ff8d1b36ba19d75df2b9211f20

SHA1
d1da45d3dda3c4c5af7f7930446164706b53301f

SHA256
ef108d70ecb2dda4f2f02ef3dbdbf3dab71f403e5c1713fd29549305e014d2f9

SHA512
8ab69ca0ab431bf8efe6d50275324e1ccb2d7efe81093737d58910d3e5760d3dbb78d5c8bbc17d27379d988b2161d6fb2b32c94783839ad07c040a6ca0441132

Download Submit
memory/1216-0-0x0000000000440000-0x00000000004C1000-memory.dmp

Filesize
516KB

Download
memory/1216-16-0x0000000000440000-0x00000000004C1000-memory.dmp

Filesize
516KB

Download
memory/1216-1-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/4060-48-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/4060-47-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/4060-45-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/4060-39-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/4060-46-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/4060-40-0x0000000000CB0000-0x0000000000CB2000-memory.dmp

Filesize
8KB

Download
memory/4060-37-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/4060-44-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/4236-12-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/4236-42-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/4236-19-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/4236-13-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download