urelas | 3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Size

466KB
MD5

0542083c1a2b3eff0f640709bca31c47
SHA1

58b1f802ece5eab93975a56756c86c8a2ce06b0d
SHA256

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127
SHA512

db3b7fb869264fcb120cd39e562a563e9e762943def5f07b95443b93dce8adb26ab1496824923a6544a8407e6fbbea5cd25fab638dec20086d957297f7fd0e01
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Ui:m6tQCG0UUPzEkTn4AC1+D

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	bejof.exe

Executes dropped EXE 2 IoCs

pid	Process
5100	bejof.exe
4544	jateq.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000705-22.dat	upx
behavioral2/memory/4544-27-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4544-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4544-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4544-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4544-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4544-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4544-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bejof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jateq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe
4544	jateq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 5100	1040	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	83
PID 1040 wrote to memory of 5100	1040	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	83
PID 1040 wrote to memory of 5100	1040	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	83
PID 1040 wrote to memory of 4364	1040	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	84
PID 1040 wrote to memory of 4364	1040	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	84
PID 1040 wrote to memory of 4364	1040	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	84
PID 5100 wrote to memory of 4544	5100	bejof.exe	103
PID 5100 wrote to memory of 4544	5100	bejof.exe	103
PID 5100 wrote to memory of 4544	5100	bejof.exe	103

C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
"C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\bejof.exe
  "C:\Users\Admin\AppData\Local\Temp\bejof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\jateq.exe
    "C:\Users\Admin\AppData\Local\Temp\jateq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
c001961ada7c141204643153156c6c16

SHA1
4276c08e03f962170b20c55a5dc3a21ccedb2efe

SHA256
2c72b51622aedea6c683214d41dd4ab978e8f81c7c8ff6aae0bbeaeb6e128045

SHA512
aa5d9c1292855875486abd83a8ced07d0592bcd68b1501510222e9136717c9606bea0fef86df095105149abe31e1c8a989d78ef8e92d1a1680da4cd5d0d0f61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bejof.exe

Filesize
467KB

MD5
d7a8cf9a246ff38013ba68d14d8a0b54

SHA1
f5cb60f5bd9c8ba2c3623960b3791077a80b6826

SHA256
5a8cb5900c2e6b6427bfba4f9b954c3ed60029d97070441f032d51ff40c5b86b

SHA512
b71bad34b12e22cc9704e4769eac09c5a9c1d53ba03be371fd3826871e045e233e043ce27cb792a355651caa93ea31ff2a3a0967862b32557a388bd8f419e11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7d0b00f7e5e2cfc82647b93952c779b0

SHA1
2ed6f034488d83fbec2c89320cc51b951a64859d

SHA256
71ee8d8121c5d024f0b3f1bc0f68ad8705b9b80bf1cc2fc96b7a7f590a6e100d

SHA512
e1b76c463f8791b01ba2ad39f78d42235783d96f312078f08693ee75f3dfb7f7133d748f01f2fe01ca24a54bd5b6074db2f773561f1439ea952a4b357a0b6f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jateq.exe

Filesize
198KB

MD5
87eca3698d9977a4bbf5db2411035213

SHA1
8779876a45812bd87b113d377766864aac2a83d1

SHA256
006afd1764b86e668d903f3a729ec68ff0f102bd99f8fcd4f7132c13be13788b

SHA512
813f899e645fa0bd847464ee1db35c0a71c21c140ca492f8610b9c218be2cee9e5f72028f06820f84e5e0c67dbea8f15bf24bb9f351a37cce235295bdd06a883

Download Submit
memory/1040-0-0x0000000000F60000-0x0000000000FDC000-memory.dmp

Filesize
496KB

Download
memory/1040-14-0x0000000000F60000-0x0000000000FDC000-memory.dmp

Filesize
496KB

Download
memory/4544-27-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4544-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4544-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4544-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4544-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4544-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4544-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5100-17-0x00000000007D0000-0x000000000084C000-memory.dmp

Filesize
496KB

Download
memory/5100-10-0x00000000007D0000-0x000000000084C000-memory.dmp

Filesize
496KB

Download
memory/5100-26-0x00000000007D0000-0x000000000084C000-memory.dmp

Filesize
496KB

Download