urelas | 07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe
Size

435KB
MD5

3b201875436ad770fa6c1764993e6f57
SHA1

e38476ddebbb73d84ec738b643e4a4d72f3d8e99
SHA256

07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1
SHA512

d4e49272f5228bc4b6658e53df4a7165511f14082a77163f4ccaeae25007b292a339b6ff82e379f987cad3988916a0cb7e205a99a4db126198409dea97ddf05a
SSDEEP

6144:iEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpvU:iMpASIcWYx2U6hAJQnX

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	veopb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	jujegi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe

Executes dropped EXE 3 IoCs

pid	Process
2032	veopb.exe
4552	jujegi.exe
3172	lufar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jujegi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lufar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe
3172	lufar.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 2032	3124	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	82
PID 3124 wrote to memory of 2032	3124	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	82
PID 3124 wrote to memory of 2032	3124	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	82
PID 3124 wrote to memory of 1144	3124	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	83
PID 3124 wrote to memory of 1144	3124	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	83
PID 3124 wrote to memory of 1144	3124	07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe	83
PID 2032 wrote to memory of 4552	2032	veopb.exe	85
PID 2032 wrote to memory of 4552	2032	veopb.exe	85
PID 2032 wrote to memory of 4552	2032	veopb.exe	85
PID 4552 wrote to memory of 3172	4552	jujegi.exe	95
PID 4552 wrote to memory of 3172	4552	jujegi.exe	95
PID 4552 wrote to memory of 3172	4552	jujegi.exe	95
PID 4552 wrote to memory of 1876	4552	jujegi.exe	96
PID 4552 wrote to memory of 1876	4552	jujegi.exe	96
PID 4552 wrote to memory of 1876	4552	jujegi.exe	96

C:\Users\Admin\AppData\Local\Temp\07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe
"C:\Users\Admin\AppData\Local\Temp\07a5aca6c6c133acfe75d623016356d8185bb5777c9df033a6858aef96a6ddc1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\veopb.exe
  "C:\Users\Admin\AppData\Local\Temp\veopb.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\jujegi.exe
    "C:\Users\Admin\AppData\Local\Temp\jujegi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\lufar.exe
      "C:\Users\Admin\AppData\Local\Temp\lufar.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
32b3adf8bbd2009a02d6fceedcf7ec09

SHA1
2a7e156c842cd506979232be042d9e6ad76d8494

SHA256
c6926ee52dbf3379ee9f9afa8817376c16d08ee9c423c9ee68229635bb54738d

SHA512
530db2077a555ea21b51d98736f84c54689935068bece63c82a8f3731b4c56159bb1368760f28fbb73a95b81a124c54bbe42791477384c20714ced7c10a5308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b9e9d601b11b265e1a3d2be1487441b3

SHA1
6941dc6e1d8480b11ac290e0ef6e0c7df6e7c55d

SHA256
3a9dee0c17e284a24476f786bf619defb669a3fdaae3f91d9e2ce2cdc8cfb8f2

SHA512
db837aed445d3e8d25a13540c11dcda0e5fe8f350d7d1533bfa3fea468f69b90b533500cb756ca11e5b20a8775ee33f9fe71d36966851f318fb68f4e5aa2bef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3bd3990e1709bc6849dbca2774e235d7

SHA1
06ee348559a2f882e8dd486f74125ed541a0eca4

SHA256
117a83619fab57f6b97ba8f4533df48be3c16566dc6953c40362ad4f5ac8774f

SHA512
adf6dfa85ad03cae28392594b0ef146c48427606b6d22568c68bc632a60bfece43b643dbc5c00f173fc40defa682815dd69555b51f0dafb20b017274e34ff76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jujegi.exe

Filesize
435KB

MD5
11557bd5070393ebc4f0b9ea22aecc45

SHA1
e61603d3c3683c453c5b647ca0aaa685d56559a3

SHA256
70abfd81c78574f6eff91c980ae49a263c907f43314fd2aa1e3176db25de1888

SHA512
40ff5497f2a884ccd0244eed111ad324c76478c5c59df6d7b09330de36ee4d977c3a358135cdc3498be989cba63e5e535c38206e2fbf59d25c17b09171411c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\lufar.exe

Filesize
223KB

MD5
b30113486308674ce8222bde8e85c763

SHA1
69dc1a28bf594c1e9fdb462ff04e84c9952601b4

SHA256
851b0d44650debf692ebf19df12f84b7044fbe63bff1183da7e904f754ef82f3

SHA512
a970ebf2c9524f8f6b5cfed63980edb27ff6bae276486413d200414101060247880606008d86db58253d90c727a1ec5760ab7408f7ac175b4f428267d0bf0c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\veopb.exe

Filesize
435KB

MD5
339ee576c33df871ed2270653f4b3529

SHA1
e8543c3abcee8af8f9b1eee00f04f3cafe1302db

SHA256
822e46a7c787bc8065a2ef55bcc21f48520dc9dbbf01a12bf6078468c03169c2

SHA512
ddb6ea2d952d7cb679c1858869dfc4112baf0bf5426acd36ffe2c52db0d2379d24cdd1cbd09c0388be6df697c6dcf98287ab70d3d744ceaf680f8ba73fa784e0

Download Submit
memory/2032-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3124-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3124-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3172-35-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/3172-41-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/3172-42-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/3172-43-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/3172-44-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/3172-45-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/4552-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4552-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download