urelas | 4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
Size

542KB
MD5

7cb2da7a368758901ae50496e1ab8409
SHA1

67462ee2244a439670ddc83b9476d04b1d291eed
SHA256

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb
SHA512

f91c7691a5e5d93e98cf00a2b6911cc0a549462eb3e38e107697b154a2b830ce0659ac6cc02e151258c913f1fd3d3e74faee68b1082e310d38444713e4bb0484
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuK:92SLi70T7MifjR

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exezyguk.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	zyguk.exe

Executes dropped EXE 2 IoCs

Processes:

zyguk.exekozup.exe

pid	Process
984	zyguk.exe
4232	kozup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3672-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x0007000000023c65-6.dat	upx
behavioral2/memory/984-11-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/3672-14-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/984-17-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/984-27-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exezyguk.execmd.exekozup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyguk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kozup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kozup.exe

pid	Process
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe
4232	kozup.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exezyguk.exe

description	pid	Process	procid_target
PID 3672 wrote to memory of 984	3672	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	85
PID 3672 wrote to memory of 984	3672	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	85
PID 3672 wrote to memory of 984	3672	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	85
PID 3672 wrote to memory of 4076	3672	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	86
PID 3672 wrote to memory of 4076	3672	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	86
PID 3672 wrote to memory of 4076	3672	4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe	86
PID 984 wrote to memory of 4232	984	zyguk.exe	102
PID 984 wrote to memory of 4232	984	zyguk.exe	102
PID 984 wrote to memory of 4232	984	zyguk.exe	102

C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe
"C:\Users\Admin\AppData\Local\Temp\4187dfa780044d2ef9dea7482926539c63ccdd3070b40be7c1e7ae2d4469ebeb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\zyguk.exe
  "C:\Users\Admin\AppData\Local\Temp\zyguk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\kozup.exe
    "C:\Users\Admin\AppData\Local\Temp\kozup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b8b3786bea09df4dacdda40fa528792b

SHA1
8ed746037a2ffe98e00f5ae2f82b814883a994de

SHA256
5a89a5a62b7449a512e0c173968af37c730d348158bc1f5c914b372d0838bda8

SHA512
979f9494f9270cf190ba63b163ecff1ffb4fff1ed234294e76b52547124595d62ca61b1d8cee376f6d8281f3f52191fee27a7494527512b1255b4ce60c976ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
69dc79ca9ab0ee11a95d056188dca86b

SHA1
186e480aff200b57fed2693bbe92de4d5857ab50

SHA256
ff2489a0cc2b657212934f752f7af31a99cdd43ab32054162d7cdab657339407

SHA512
c3d8384abf6594e581981dcee5d950ce684d46101a76d2ac222a2909cb687fff02052cdbad438c810cb22d1a16a92deb6426ecb7e3f1912b701c928b3f4afc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\kozup.exe

Filesize
230KB

MD5
8ad7d4f50aba7e7b0686337267d463b4

SHA1
e684af191341f0ec955334c83596477bcc359780

SHA256
630c20936198730ee94dff407eb645044d6f8da28e80aad0b140ac324065af59

SHA512
622ff26b4f52ee97a82add0538aa60c0b307943e3f574b42a431d2ba2860e94b3d1f502a8ce3cf15700cc8c63d6e2b38a6f75b105afafd099c2c58e2e23ea8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyguk.exe

Filesize
542KB

MD5
3042592dba7f97b1b6bcf4213aafe2bb

SHA1
ff755410f1b09cb10d213ca672d824ea68e24700

SHA256
f0dec5874830a966f6df0d4b1e1d66a234b05d27636d6c3affa91d37f4bd3cfc

SHA512
b642dfb7bf5c23da58f61f8a3057d081014b8fd8f7873ebe9b2bb7719c42e6610931c13bb75dbadcb5705439c3e1244fb325ad27a239b6d16428699206d37700

Download Submit
memory/984-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/984-11-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/984-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3672-14-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3672-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4232-26-0x0000000000920000-0x00000000009D3000-memory.dmp

Filesize
716KB

Download
memory/4232-28-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/4232-30-0x0000000000920000-0x00000000009D3000-memory.dmp

Filesize
716KB

Download
memory/4232-31-0x0000000000920000-0x00000000009D3000-memory.dmp

Filesize
716KB

Download
memory/4232-32-0x0000000000920000-0x00000000009D3000-memory.dmp

Filesize
716KB

Download
memory/4232-33-0x0000000000920000-0x00000000009D3000-memory.dmp

Filesize
716KB

Download
memory/4232-34-0x0000000000920000-0x00000000009D3000-memory.dmp

Filesize
716KB

Download