urelas | 9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Size

331KB
MD5

7eee5a9c09ab106a678b4e266607e694
SHA1

7a4f8588d6089f4b8e25582bc11dfa9e1302df84
SHA256

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb
SHA512

4ecb3d5966d401af3b4969563e8ccf3157c63b56a48b829d70eded05e7f1aee8a13241393363f6f62a73daa868a2e864dce2ca95b85190ba19ca59de1c9e5f9f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVRJ:vHW138/iXWlK885rKlGSekcj66ciERJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.execehow.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cehow.exe

Executes dropped EXE 2 IoCs

Processes:

cehow.exetyqik.exe

pid	Process
1108	cehow.exe
1576	tyqik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.execehow.execmd.exetyqik.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cehow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyqik.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tyqik.exe

pid	Process
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe
1576	tyqik.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.execehow.exe

description	pid	Process	procid_target
PID 2040 wrote to memory of 1108	2040	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	83
PID 2040 wrote to memory of 1108	2040	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	83
PID 2040 wrote to memory of 1108	2040	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	83
PID 2040 wrote to memory of 2092	2040	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	84
PID 2040 wrote to memory of 2092	2040	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	84
PID 2040 wrote to memory of 2092	2040	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	84
PID 1108 wrote to memory of 1576	1108	cehow.exe	103
PID 1108 wrote to memory of 1576	1108	cehow.exe	103
PID 1108 wrote to memory of 1576	1108	cehow.exe	103

C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
"C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\cehow.exe
  "C:\Users\Admin\AppData\Local\Temp\cehow.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\tyqik.exe
    "C:\Users\Admin\AppData\Local\Temp\tyqik.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6357433b9e289fbeedec0c4e4ea64826

SHA1
b1e70d0a33000976fee37bd86ec4b4941fe0e670

SHA256
26310e4f8e01c3574aee93d0394314e49692bb70bfc4562d80d09b66adb46428

SHA512
af021ae4d737d676154f27f5478f91afe8e29993abb71f4b82d2c04a62e4388323c5ed3bd6737f696f691828c587be114cda834375db1475e79e10a0e55b0ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cehow.exe

Filesize
331KB

MD5
4861f4ca6900b933df1548b0c8762187

SHA1
77583dd2b616a7d88e00ba84b97baf8f57596a6e

SHA256
abb781f083687801bd1ef877cae4a28f7886d54ab601084b11cfe3c1fc546e9c

SHA512
3edca2b72b12e1feaf547a57d32f102dac4204769f4591c07f51e2b09fc81dba4135e282049d66e717f4566b210110ffc952161d04b3fd4c11505260ac1a8d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
886a3aea2a88633a247194728b1a935c

SHA1
16c20658d2d22e24b242c4580436681a496d8160

SHA256
bb60659c35a47a564de7e9fe17eccbf3c9b3ac95e6e0eb416367331cc6a6c903

SHA512
81da8d36e2ce5e64b75fb4d86b162b6be02aef5392e9844c6f30b3cc8ba75a0ba7f95e05b1adfed5c57e58a1eabe2c5937e555d97e56dbd0a1d892252da81f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyqik.exe

Filesize
172KB

MD5
eb9c864f382d868869dc6775c56e29fd

SHA1
d06bb6b9eb377024bd262d158d5f784c29e0667e

SHA256
d4e8f47ea2f5e3b6be86eb67ac2b73e2bd31a276a45f3dac6607b9dde6e97e5f

SHA512
9c0aade6970f1c9769b3d33daa106eef63f81f2fe28a54c1efd038ede7d96f3eb3e7c317c61c1aa0aff890600369c06e4dc6aab732c7141ba7cd662929ff696f

Download Submit
memory/1108-20-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/1108-40-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/1108-11-0x0000000000520000-0x00000000005A1000-memory.dmp

Filesize
516KB

Download
memory/1108-14-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1576-45-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1576-36-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1576-38-0x0000000000E30000-0x0000000000E32000-memory.dmp

Filesize
8KB

Download
memory/1576-41-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1576-46-0x0000000000E30000-0x0000000000E32000-memory.dmp

Filesize
8KB

Download
memory/1576-47-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1576-48-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1576-49-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/1576-50-0x00000000005B0000-0x0000000000649000-memory.dmp

Filesize
612KB

Download
memory/2040-17-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/2040-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2040-0-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download